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Section  1;  Introduction 


1.  Introduction 

The  ])i'oliferatiou  of  distrihutt'd  ronn)Ut<'r  systems  )i;;ives  iiicrensiiif!;  iiui)()rt;uic<' 
to  correctness  proofs  of  distrihutcvl  algoritlmis.  Techniques  for  verifying  seejuential 
algorithms  have  been  extended  to  handle  concurrent  and  distributed  ones-  -for  ex¬ 
ample,  by  Owicki  and  Gries  [OG],  Manna  and  Pnueli  [MP],  Lamport  and  Schncid(T 
[LSc],  and  Alpern  and  Schneider  [AS].  Practical  algorithms  are  usually  optimized 
for  efficiency  rather  than  simplicity,  and  proving  them  correct  may  be  feasible  only  if 
the  proofs  can  be  structured  For  a  sequential  algorithm,  tb.e  proof  is  structured  by 
developing  a  hierarchy  of  increasingly  detailed  versions  of  the  algorithm  and  prov¬ 
ing  that  each  correctly  implements  the  next  higher-level  version.  This  approach 
has  been  extended  to  concurrent  algorithms  l)y  Lamport  [Lj.  Stark  [S],  Harel  [Hj. 
Kurshan  [K],  and  Lynch  and  Tuttle  [LT],  where  a  single  action  in  a  higher-level 
representation  can  represent  a  sequence  of  lower-level  actions.  The  higher-level  ver¬ 
sions  usually  provide  a  global  view  of  th('  algorithm,  with  progress  made  in  large 
atomic  steps  and  a  large  amount  of  nondeterminism  allowed.  At  the  lowest  level  is 
the  original  algorithm,  which  tcxkes  a  purely  local  view,  has  more  atomic  steps,  and 
usually  has  more  constraints  on  the  order  of  events. 

With  its  totally  ordered  chain  of  versions,  this  hierarchical  approach  usually 
does  not  allow  one  to  focus  on  a  single  task  in  the  algorithm.  The  method  described 
in  this  paper  extends  the  hierarchical  approach  to  a  lattice  of  versions.  At  the 
bottom  of  the  lattice  is  the  original  algorithm,  which  is  a  refinement  of  all  other 
versions.  However,  two  versions  in  the  lattice  may  bo  incommeasurable,  neither  one 
being  a  refinement  of  the  other. 

Multiple  higher-level  versions  of  a  communication  protocol,  each  focusing  on 
a  different  function,  were  considered  by  Lam  and  Sliankar  [LShj.  They  called  each 
higher-level  version  a  “projection”.  If  the  original  protocol  i.s  sufficientlj-  modular, 
then  it  can  be  represented  as  the  composition  of  the  projections,  and  the  correctness 
of  the  original  algorithm  follows  immediately  from  the  correctness  of  the  projections. 
This  approach  was  used  by  Fekete,  Lynch,  and  Shrira  [FLS]  to  prove  the  correctness 
of  Awerbuch’s  synchronize!  [Alj. 

Not  all  algorithms  are  modular.  In  practical  algorithms,  modularity  is  often 
destroyed  by  optimizations.  The  correctness  of  a  non-inochdar  algorithm  is  not  an 
immediate  consequence  of  the  correctness  of  its  higher-level  versions.  The  method 
presented  in  this  paper  uses  the  correctness  of  higher-level  versions  of  an  algorithm 
to  simplify  its  proof.  The  inoofs  of  coirectu<'.ss  of  all  the  versions  in  the  lattice 
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(in  which  the  original  algorithm  is  the  lowest-level  version)  constitute  a  structured 
proof  of  the  algorithm. 


Any  path  through  our  lattice  of  representations  ending  at  the  original  algo¬ 
rithm  is  a  totally-ordered  hierarchy  of  versions  that  can  be  used  in  a  conventional 
hierarchical  proof.  Why  do  we  need  the  rest  of  the  lattice?  Each  version  in  the 
lattice  allows  us  to  formulate  and  prove  invariants  about  a  separate  task  performed 
by  the  algorithm.  These  invariants  will  appear  somewhere  in  any  assertional  proof 
of  the  original  algorithm.  Our  method  permits  us  to  prove  them  at  as  high  a  level 
of  abstraction  as  possible. 

The  method  proceeds  inductively,  tojt  down  through  the  lattice.  First,  the 
highest-level  version  is  shown  directly  to  have  the  original  algorithm’s  desired  prop¬ 
erty,  which  involves  proving  that  it  satisfies  some  invariant.  Next,  let  A  be  any 
algorithm  in  the  lattice,  let  , . . . ,  i?;  {i  >  1)  be  the  algorithms  immediately  abov'^e 
A  in  the  lattice,  and  let  Q\  ■  -.Qi  be  their  invariants.  We  prove  that  A  satisfies 
the  same  safety  properties  as  each  Bj,  and  that  a  particular  jn-edicate  P  is  inv'ariant 
for  .4.  The  invariant  P  has  the  form  Q  A  Qi  A  •  •  •  A  Qi  for  some  predicate  Q.  In  this 
way,  the  invariants  Qj  are  carried  down  to  the  proof  of  lower-level  algorithms,  and 
Q  introduces  information  that  cannot  appear  any  higher  in  the  lattice — information 
about  details  of  the  algorithm  that  do  not  appear  at  higher  levels,  and  relations  be¬ 
tween  the  Dj.  We  provide  two  sets  of  sufficient  conditions  for  verifying  these  safety 
properties,  one  sot  for  tlie  case  /'  =  1.  and  the  other  for  i  >  1.  We  also  provide 
three  techniques  for  verifying  liveness  i)roi)('ities;  only  one  of  them  makes  use  of  the 
lattice  structure. 

The  technique  is  used  to  prove  Gallager,  Humblet  and  Spii’a’s  distriljuted  min¬ 
imum  spanning  tree  algorithm  [GHS].  This  algorithm  has  l)een  of  great  interest  for 
some  time.  There  appears  in  [GHS]  an  intuitive  description  of  why  the  algorithm 
should  work,  but  no  rigorous  proof.  There  are  several  reasons  for  giving  a  formal 
proof.  First,  the  algorithm  has  important  applications  in  distributed  systems,  so 
its  correctness  is  of  concern.  Second,  the  algorithm  often  appears  as  part  of  other 
algorithms  [A2,AG],  and  the  correctness  of  these  algorithms  depends  upon  the  cor¬ 
rectness  of  the  minimum  spanning  tree  algorithm.  Finally,  many  concepts  and 
techniques  have  been  taken  from  the  algorithm,  out  of  context,  and  used  in  other 
algorithms  [A2,CT,G].  Yet  the  pieces  of  the  algorithm  interact  in  subtle  ways,  some 
of  which  are  not  explained  in  the  original  paper.  A  careful  proof  of  the  entire 
algoiitlim  can  iudicatf'  the  depc’iideucies  Ix-twc'cn  tlu'  ])iec('s. 

Our  jnoof  uK'thod  lu'lped  us  to  find  the  correct  invariants;  it  allowed  us  to 
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describe  the  algorithm  at  a  high  level,  yet  precisely,  ami  to  use  our  intuition  abo\it 
the  algorithm  to  reason  at  an  appropriat<'  l<>vel  of  abstraction.  A  liy-product  of  oui 
proof  was  a  better  understanding  of  the  purpose  and  importance  of  certain  parts  of 
the  algorithm,  enabling  us  to  discover  a.  slight  (jptimization. 

The  complete  proof  of  the  correctness  of  this  minimum  spanning  tree  algorithm 
is  very  long  and  can  be  found  in  [W].  One  reason  for  its  length  is  the  intricacy  of  the 
algorithm.  Another  reason  is  the  duplication  inherent  in  the  approach;  the  code 
in  all  the  versions  is  repetitive,  because  of  carry-over  from  a  higher-level  version 
to  its  refinement,  and  because  the  original  algorithm  cannot  be  presented  as  a 
true  composition  of  its  immediate  projections;  the  repetition  in  the  code  leads  to 
repetition  in  the  proof.  The  full  proof  also  includes  extremely  detailed  arguments— 
detailed  enough  so  we  hope  that,  in  the  not  too  distant,  futtire,  they  will  be  machine- 
checkable.  This  level  of  detail  seems  necessary  to  catch  small  bugs  in  the  program 
and  the  proof. 

Two  other  proofs  of  this  algorithm  have  recently  been  developed.  Stomp  and 
de  Roever  [SdR]  used  the  notion  of  communication-closed  layers,  introduced  by 
Elrad  and  Francez  [EF].  Chou  and  Gafni  [CG]  prove  the  correctness  of  a  simpler, 
more  sequential  version  of  the  algorithm  and  then  prove  that  every  execution  of  the 
original  algorithm  is  equivalent  to  an  execution  of  the  more  sequential  version. 

2.  Foundations 

This  section  contains  th<'  definitions  and  re,sults  that  form  the  basis  for  our 
lattice-structured  proof  method.  Our  method  can  be  used  with  any  state-based, 
assertional  verification  technique.  In  this  paper,  we  formulate  it  in  terms  of  the 
I/O  automaton  model  of  Lynch,  Merritt,  and  Tuttle  [LT,LM],  which  provides  a 
convenient,  ready-made  “langtiage”  for  our  use.  A  summary  of  the  I/O  automaton 
model  appears  in  the  Appendix. 

The  first  step  is  to  de.sign  the  latiice,  using  one's  intuition  about  the  algorithm. 
Each  element  in  the  lattice  is  a  version  of  tin'  algorithm,  described  as  an  I/O  au¬ 
tomaton.  and  has  associated  with  it  a  predicate.  The  bottom  element  of  the  lattice 
is  the  original  algorithm.  Next,  we  must  show  that  all  the  predicates  in  the  lattice 
are  invariants.  The  invariant  for  the  top  element  of  the  lattice  must  be  shown  di¬ 
rectly.  Assuming  that  Qi.. .  ■  ,Qi  are  invariants  for  the  versions  B\,. . .  ,Di  directly 
above  A  in  the  lattice,  we  verify  that  predicate  P  =  Q  f\Q\  t\  -  ■  •  f\Qi  is  invariant  for 
A,  by  demonstrating  mappings  that  pre.ser\-e  Q  and  take  execTitions  of  A  to  execu¬ 
tions  o{  Bi, . . .  ,Bi  (thus  preserve  Qi  A  ■■■  A  Qj)-  { Finding  these  mappings  requires 
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insight  about  the  algorithm.)  Finally,  the  lattice  is  used  to  show  that  the  original 
algorithm  solves  the  problem  of  interest  by  showing  directly  that  the  top  element 
in  the  lattice  solves  the  problem,  and  showing  a  path  >lj, . . . ,  .4*,.  in  the  lattice  from 
top  to  bottom  such  that  each  version  in  the  path  satisfies  its  predecessor.  To  show 
that  Ai  satisfies  we  show  that  for  every  fair  execution  of  A;,  there  is  a  fair 

execution  of  Ai_i  with  the  same  sequence  of  external  actions.  The  mapping  used 
to  verify  the  invariants  takes  executions  to  executions;  by  adding  some  additional 
constraints  on  the  mapping,  we  can  prove,  using  the  invariants,  that  it  takes  fair 
executions  to  fair  executions  with  the  same  sequence  of  external  actions,  i.e.,  that 
liveness  properties  are  preserved. 

Section  2.1  deals  with  safety  properties.  First,  suppose  there  are  two  automata, 
.4  and  B,  where  B  is  offered  as  a  “more  alistract”  version  of  A.  We  define  a  mapping 
from  executions  of  A  to  sequences  of  alternating  states  and  actions  of  B;  if  the 
mapping  obeys  certain  conditions,  we  say  A  simulates  B.  Lemma  1  proves  that  this 
definition  preserves  important  safety  properties,  namely  that  executions  of  A  map  to 
executions  of  B,  and  that  a  certain  predicate  is  an  invariant  for  A.  Next  we  suppose 
that  there  are  several  higher-level  versions,  Ai,  A2,  etc.,  of  one  more  concrete 
automaton  A.  There  are  situations  in  which  it  is  difficult  to  show  independently 
that  A  simulates  Ai  and  A  simulates  A2,  but  invariants  about  states  of  A2  can  help 
show  a  mapping  from  A  to  Ai,  and  invariants  about  states  of  Ai  can  help  show 
a  mapping  from  A  to  A2.  To  capture  this,  we  define  a  notion  of  simultaneously 
simulates,  which  Lemma  2  proves  preserves  the  same  safety  properties  as  in  Lemma 
1.  Of  course,  to  be  able  to  apply  Lemma  2,  we  must  know  what  the  invariants  of 
Ai  and  A2  are,  which  may  reqiiire  having  already  shown  that  Aj  and  A2  simulate 
other  automata. 

Section  2.2  considers  liveness  properties.  Given  automata  A  and  B,  and  a 
locally-controlled  action  ^  of  B,  a  definition  of  A  being  equitable  for  is  given; 
Lemmas  3  and  4  show  that  this  definition  implies  that  in  the  execution  of  B  obtained 
from  a  fair  execution  of  A  by  either  of  the  simulation  mappings,  once  (p  becomes 
enaljled,  it  either  occurs  or  becomes  disabled.  We  are  on  our  way  to  verifying  the 
fairness  of  the  induced  execution  of  B. 

Three  methods  of  showing  that  A  is  ecpiitable  for  locally-controlled  action  ip 
of  B  are  described.  The  first  method  is  to  show  that  there  is  an  action  p  of  A 
that  is  enabled  whenever  ip  is,  and  whose  occurrence  implies  ip’s  occurrence.  (Cf. 
Lemma  5.) 

The  sc'cond  method  uses  a  definition  of  A  being  progressive  for  ip.  The  intu- 
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itiou  behind  the  definition  is  that  then'  is  a  set  of  “helping’’  actions  of  A  that  are 
guaranteed  to  occur,  and  which  make  progress  toward  an  occurrence  of  cp  in  the 
induced  execution  of  B.  Lemma  G  shows  that  i>rogressive  implies  equit  able. 

The  third  method  for  checking  the  equitable  condition  can  be  useful  when 
various  automata  are  arranged  in  a  lattice.  (See  Figure  1.)  Suppose  B  and  C  are 
more  abstract  versions  of  A,  and  D  is  a  more  abstract  version  of  C.  In  order  to 
show  that  A  is  equitable  for  action  (p  of  B.  we  demonstrate  an  action  p  of  D  that 
is  “similar”  to  ip,  such  that  C  is  progressive  for  p  using  a  set  of  helping  actions, 
and  A  is  equitable  for  aU  the  helping  actions  in  'f.  (Cf.  Lemma  7.) 


V  B 


Figure  1 


Theorems  8  and  9  in  Section  2.3  relate  the  definitions  of  simulates,  simultane¬ 
ously  simulates,  and  equitable  to  the  notion  of  satisfaction. 

2.1  Safety 

Let  A  and  B  be  automata.  Throughout  this  paj)er,  we  only  consider  automata 
such  that  each  locally-controlled  action  is  in  a  separate  class  of  the  action  partition. 
(The  definitions  and  results  of  this  section  can  be  generalized  to  avoid  this  assump¬ 
tion,  but  the  statements  and  proofs  are  more  complicated,  and  the  generalization 
is  not  needed  for  the  proof  of  the  [GHS]  algorithm.)  Let  alt-seq(B)  be  the  set  of 
all  finite  sequences  of  alternating  actions  of  B  and  states  of  B  that  begin  and  end 
with  an  action,  including  the  empty  sequence  (and  the  sequence  of  a  single  action). 
An  abstraction  mapping  M.  from  A  to  5  is  a  pair  of  functions,  S  and  A,  where  S 
maps  states{A)  to  states{B)  and  A  maps  pairs  (s.tt),  of  states  s  of  A  and  actions 
TT  of  A  enabled  in  s,  to  alt-seq{B). 
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Given  execution  fragment  e  =  sqttiS]  ...  of  A,  define  Affe)  as  follows. 

•  If  e  =  So,  then  M{e)  =  5(so). 

•  Suppose  e  =  So  . . .  Si-iTTiSi,  i  >  0.  If  ^(.Si_],7r,)  is  empty,  then  M{t)  — 

M{sq  . . .  s,_i).  If  >I(s,_i,7ri)  =  then  M{e)  =  M(so  . . .  s,_i) 

ifiti  . . .  The  tj  are  called  interpolated  states  of  M.{e). 

•  If  c  is  infinite,  then  M(e)  is  the  liniif  of  Af(so^i-*i  •  •  ■  -Si)  as  i  increases  without 
bound. 

We  now  define  a  particular  kind  of  abstraction  mapping,  one  tailored  for  show¬ 
ing  inductively  that  a  certain  predicate  is  an  invariant  of  A,  and  that  executions 
of  A  map  to  (nontrivial)  executions  of  D.  (A  predicate  is  a  Boolean-valued  func¬ 
tion.  If  Q  is  a  predicate  on  states(B),  and  S  maps  statts{A)  to  states{B),  then 
{Q  o  5"),  applied  to  state  s  of  A,  is  the  predicate  “Q  is  true  in  »S(s),”  and  is  also 
written  (Q(5(s)).)  We  give  two  sets  of  conditions  on  abstraction  mappings,  both  of 
which  imply  that  executions  map  to  executions,  with  the  same  sequence  of  external 
actions.  The  first  set  of  conditions  applies  when  there  is  a  single  higher-level  au¬ 
tomaton  immediately  above.  As  formalized  in  Lemma  1,  condition  (2)  ensures  that 
tne  sequences  of  cxteiUcn  actions  arc  the  s»me,  and  conditions  (1)  and  (3)  ensure 
that  executions  map  to  executions,  and  that  a  certain  predicate  is  an  invariant  for 
the  lower-level  algorithm.  A  key  point  about  this  predicate  is  that  it  includes  the 
higher-level  invariant.  Condition  (1)  is  the  basis  step.  Condition  (3)  is  the  inductive 
step,  in  which  the  predicate,  including  the  high-level  invariant,  may  be  used;  part 
(a)  shows  the  low-level  predicate  is  invariant,  while  parts  (b)  and  (c)  show  execu¬ 
tions  map  to  executions,  by  ensuring  that  if  there  is  no  corresponding  high-level 
action,  then  the  high-level  state  is  unchanged,  and  if  there  is  a  corresponding  high- 
level  action,  then  it  is  enabled  in  the  previous  higli-level  state  and  its  effects  are 
mirrored  in  the  subsequent  high-level  state.  Since  executions  map  to  executions, 
fhe  high-level  invariant,  when  composcfl  with  the  state  mapping,  is  also  invariant 
for  A. 

Definition:  Let  A  and  B  be  automata  with  the  same  external  action  signature.  Let 
M  =  (<5.  A)  be  an  abstraction  mapping  from  A  to  Z?,  P  be  a  predicate  on  state,‘:(A). 
and  Q  be  a  predicate  true  of  all  rcachal)le  states  of  B.  We  say  .4  simulates  B  via 
AA.  P,  and  (J  if  the  following  three  conditions  are  true. 

(1)  If  .s  is  in  start(A),  tlu'n 
(a)  Pi-s)  is  true,  and 
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(b)  S(s)  is  in  start{B). 

(2)  If  .s  is  a  stfiti'  of  .4  such  that  Q{S(s))  aiul  P(.s)  an*  (mk',  and  tt  is  any  action  of 

.4  <'n;ibl<'<l  in  .s,  tln'ii  n^)|f  -  n'l<.r/(.4). 

(3)  Let  {s',Tr,s)  be  a  step  of  .4  such  that  Q(S(s'))  and  P(s')  are  true.  Then 

(a)  P{s)  is  true, 

(b)  if  A{s' ,  7r)  is  empty,  then  ^(s)  =  5(s'),  and 

(c)  if  ^(s',7r)  =  ipiti  .  then  S(s')ipiti  .  .  .  <m_i (p„,5(s)  is  an  execu¬ 
tion  fragment  of  5.  □ 

The  first  lemma  verifies  that  if  ,4  simulates  B  via  M,  then  A4(e)  is  an  execution 
of  B  and  a  certain  predicate  is  true  of  all  states  of  e. 

Lemma  1:  If  j4  simulates  B  via  M  =  (S.  A).  P  and  Q,  then  the  following  are  true 
for  any  execution  e  of  A. 

(1)  A4(e)  is  an  execution  of  B. 

(2)  {Q  o  S)  /\  P  is  true  in  every  state  of  c. 

Proof;  Let  e  =  Soft'S!  •  •  ••  If  (1)  (2)  are  true  for  every  finite  prefix  e;  =  . .  .  Si 

of  e,  then  (1)  and  (2)  are  true  for  e.  We  proceed  by  induction  on  We  need  to 
strengthen  the  inductive  hypothesis  for  (1)  to  be  the  following; 

(1)  Af(e,)  is  an  execution  of  B  and  <S(s,)  =  t,  where  t  is  the  final  state  in 

(Throughout  this  proof,  “conditions  (1),  (2)  and  (3)”  refer  to  the  conditions  in 
the  definition  of  “simulates”.) 

Basis:  ?'  =  0.  (1)  Af(co)  =  S(so).  Since  Cq  is  an  execution  of  A,  so  is  in 
start{A).  Condition  (lb)  implies  that  <S(S())  is  in  siart{B),  so  AA[cq)  is  an  execution 
of  B .  Obviously,  the  assertion  about  the  final  states  is  true. 

(2)  Condition  (la)  states  that  P  is  true  in  sq.  Since  5(so)  is  in  start{B),  it  is 
a  reachable  state  of  B.  and  Q(5(so))  is  tnu'. 

Induction:  i  >  0.  By  the  inductive  hypothesis  for  (2),  Q{S{s,-]  ))  and  /’(.s,_|  ) 
are  true.  Thus,  conditions  (3a),  (3b)  and  (3c)  are  true. 

(1)  Let  M(ci^x )  =  ■  ■  -  tj  and  M{ti)  =  •  •  •  Cn-  Obviously,  rn  >  j . 


Section  2.1:  Safety 


Suppose  m  =  j.  Then  A4(e,)  —  yV((ei_i)  and  is  an  execution  of  D  by  th<’ 
inductive  hypothesis  for  (1).  We  deduce  that  is  empty,  so  by  condition 

(3b),  S(si)  =  and  by  the  inductive  hypothesis  for  (1),  )  =  tj. 

Suppose  m  >  j.  By  construction  of  .,'V((ei),  >l(si_i,7ri)  =  .  .  -fm-i-Ptn' 

and  tm  =  S(si).  By  the  inductive  hypothesis  for  (1),  S(s,-i)  —  tj.  B}-  condition 
(3c),  tjV’j+i  ■  • .  V’mtm  is  an  execution  fragment  of  B.  Thus,  M{ei)  is  an  execution 
of  B.  Obviously,  the  assertion  about  the  final  states  is  true. 

(2)  By  the  inductive  hypothesis  for  (2),  {Q  o  S)  A  P  \s  true  in  every  state  of 
Ci,  except  (possibly)  s,.  By  condition  (3a),  P(si)  is  true.  The  final  state  in  Af(ei) 
is  S{si).  Since,  by  part  (1),  A^(e,)  is  an  execution  of  B  and  S(s,)  equals  the  final 
state  of  ;V|(e,),  5(s,)  is  a  reachable  state  of  B.  By  definition  of  Q,  Q{S{si))  is 
true.  □ 

Next  we  suppose  that  there  are  several  higher-level  versions,  say  B]  and  B2,  of 
automaton  ,4,  each  focusing  on  a  different  task.  There  are  situations  in  which  it  is 
impossible  to  show  that  .4  simulates  B\  without  using  invariants  about  B^'s  ta.sk, 
and  it  is  impossible  to  show  that  A  simulates  B2  without  using  invariants  about 
Bj’s  task.  One  could  cast  the  invariants  al)Out  Z?2’s  task  as  predicates  of  A,  and 
use  the  previous  definition  to  show  A  simulates  B],  but  this  violates  the  spirit  of 
the  lattice.  Instead,  we  define  a  notion  of  simultaneously  simulates,  which  allows 
in^'ariants  about  both  tasks  to  be  used  in  showing  that  A  simulates  and  Z?2- 
The  definition  differs  from  simply  requiring  A  to  simulate  B\  and  A  to  simulate 
B2  in  one  important  way:  steps  of  A  only  need  to  be  reflected  properly  in  each 
higher-level  algorithm  when  all  the  higher-level  invariants  are  true  (cf.  condition 

(3)). 

Definition:  Let  /  be  an  index  set.  Let  .4  and  ,4^.  r  E  I,  he  automata  with  the 
same  external  action  signature.  For  all  r  €  /,  let  ,\4r  =  (Sr,Ar)  be  an  abstraciion 
mapping  from  >1  to  A,-,  and  let  Qr  be  a  predicate  true  of  all  reachable  states  of  .4r. 
Let  P  be  a  predicate  on  states(A).  We  say  A  simultaneously  simulates  {Ar  :  r  G  /} 
via  {Mr  ■  '■  G  /},  P,  and  {Qr  :  r  G  /}  if  the  following  three  conditions  are  true. 

(1)  If  s  is  in  start(A),  then 

(a)  P(s)  is  true,  and 

(1))  <l>r(.s)  is  in  stnrfiA,.)  for  all  r  G  I. 

(2)  If  .“i  is  a  state'  of  A  such  that  (^r(Sr(s‘))  and  P(s)  are  true,  and  tt  is  any 

action  of  A  enabled  in  .s  then  A,  (.s,  Trljf  .rt(  A^)  =  7r|(  .r/(  A)  for  all  r  G  P 
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(3)  Let  (s',  TT,  s)  be  a  step  of  A  such  that  A,g/  Qr(Sr{--'' ) )  and  Pi  >' )  are  true,  Tlien 

(a)  P{s)  is  true, 

(b)  if  Ar{s'-,'^)  is  empty,  then  <S,.(s)  =  5, for  all  /■  G  /,  and 

(c)  if  Ar{s',n)  =  then  ^  - 1  ^,„5r( " )  is  ;in  exe¬ 
cution  fragment  of  A,-,  for  all  r  ^  I.  □ 

The  statement  “A  simultaneously  simulates  |Ai..42}  via  {M] .  ■  P  and 

{Qi,Q2}”  is  weaker  than  the  statement  ‘‘A  simulates  A)  via  P  and  Qi,  and 

A  simulates  A2  via  jM2,  P  and  Q2"  because  the  hypotheses  of  conditions  (2)  and 
(3)  in  the  simultaneous  definition  require  that  a  stronger  predicate  be  true. 

Lemma  2  shows  that  the  safety  properties  of  interest  are  still  preserved. 

Lemma  2:  Let  I  be  an  index  set.  If  A  siniultaneously  simulates  {Ar  '■  r  E  1}  via 
{Mr  '■  r  E  I},  P,  and  [Qr  '■  r  E  I},  where  M,  =  (5,-,  A,  )  for  all  r  E  I.  then  the 
following  are  true  of  any  execution  e  of  A. 

(1 )  Mri^)  is  an  execution  of  Ar,  for  all  r  E  I. 

(2)  ^reiiQr  o  Sr)  A  P  is  true  in  every  state  of  e. 

2.2  Liveness 

The  following  notation  is  introduced  to  define  the  basic  liveness  notion,  “equi¬ 
table”,  and  to  verify  that  this  definition  has  the  desired  properties. 

We  define  an  execution  e  —  •  •  •  of  automaton  A  to  satisfy  S  (T,  A'), 

where  S  and  T  are  subsets  of  statc.'-iA)  and  A'  is  a  subset  of  sfates(A)  x  acts(A], 
if  for  all  i  with  5,  E  S,  there  is  a  j  A  su<-h  that  <'ither  s .  E  T  or  (s^,  tt^^j  )  E  A'. 
In  words,  starting  at  any  state  of  c,  eventually  either  a  st^te  in  T  is  reached,  or  a 
state-action  pair  in  A'  is  reached. 

If  Ad  =  («5,  A)  is  an  abstraction  mapping  from  A  to  B,  then  for  each  locally- 
controlled  action  if  of  B,  we  make  the  following  definitions;  E.^  is  the  set  of  all 
states  5  of  A  such  that  if  is  enabled  in  »?(.>');  is  states{A)  —  E^\  D'^  is  the  set  of 
all  states  t  of  B  such  that  if  is  not  enabled  in  #;  is  the  set  of  all  pairs  {s,n)  of 
states  s  of  A  and  actions  tt  of  A  such  that  if  is  in  A(s,  tt);  and  A'^  is  states{B)  x  {cp}. 

Definition:  Suppose  M  is  an  abstraction  mapping  from  A  to  B.  Let  be  a  locally- 
controlled  action  of  B.  If  every  fair  execution  of  A  satisfies  states{A)  {D^,  X^), 
then  A  is  equitable  for  if  via  M.  If  A  is  e<piitable  for  if  via  M  foi  every  locally- 
controlled  action  f  of  B,  then  A  is  equitable  for  B.  □ 
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The  next  lemma  motivates  the  equitable  definition  —  in  the  induced  execution 
of  5,  if  is  ever  enabled,  then  eventually  either  occurs  or  becomes  disabled. 

Lemma  3:  Suppose  A  simulates  B  via  A4.  Let  <p  be  a  locally-controlled  action  of 
B.  If  A  is  equitable  for  via  Ad,  then  AA{e)  satisfies  sfates(B)  (D'^,X^),  for 
every  fair  execution  e  of  A. 

Proof:  Let  M  =  (5.  >4).  Let  e  —  SqX^Sj  ...  be  a  fair  execution  of  A,  and  let 
A4{e)  —  to^Piti  ■  ■  ■■  For  any  i  >  0,  define  indcx{i)  to  be  j  such  that  Miso  .  . .  s,)  = 
to  ..  .tj.  Choose  i  >  0. 

Case  1:  ti  is  not  interpolated.  Choose  any  /  be  such  that  index(l)  =  i.  Then 
ti  =  S{si),  as  argued  in  the  proof  of  Lemma  1.  Suppose  there  is  an  m  >  /  such  that 
Sm  C  L)^.  Then  there  is  a  j  =  index(m)  >  /  such  that  tj  =  iS(sm ),  and  by  definition 
of  D^,  tj  is  in  D'^.  Suppose  there  is  an  in  >  I  such  that  (smiTr^+i)  6  X^.  Then 
there  is  a  j  =  index{m)  >  i  such  that  =  ip,  by  definition  of  X^,  and 
is  in  X'^. 

Case  2:  ti  is  interpolated.  Let  i'  be  the  smallest  integer  greater  than  i  such 
that  tji  is  not  interpolated.  If  either  a  state  in  D'^  or  ip  occurs  between  i  and  i'  in 
Mfe),  then  we  are  done.  Suppose  not.  Then  the  argument  in  Case  1,  applied  to  t,', 
shows  that  eventually  after  tc,  and  thus  after  t,.  cither  a  state  in  D'^  or  p  occurs 
in  M{e).  □ 

The  next  lemma  is  the  analog  of  Lemma  3  for  sinudtaneously  simtilates.  {D'^ 
and  A"^  are  defined  with  respect  to  Mr-) 

Lemma  4:  Suppose  A  simultaneously  simulates  {Tr  :  r  G  /}  via  {Mr  •  C  I]- 
Let  p  be  a  locally-controlled  action  of  Ar  for  some  r.  If  A  is  equitable  for  p  via 
Mr-  then  Mr(e)  satisfies  statcs{B)  ^  (D'^.X'^),  for  every  fair  execution  c  of  A. 

The  rest  of  this  subsection  describes  three  methods  of  verifying  that  A  is  eej- 
uitable  for  action  p  of  B.  Lemma  5  describes  the  first  method,  which  is  to  identify 
an  action  of  A  that  is  essentially  the  "same’'  as  p. 

Lemma  5;  Suppose  M  =  (‘S.,4)  is  an  abstraction  mapping  from  A  to  B.  p  is  a 
locally-controlled  action  of  B.  and  p  is  a  locally-controlled  action  of  A  such  that, 
for  all  reachable  states  s  of  A. 

(1)  p  is  enabled  in  s  if  and  only  if  p  is  ('iiablrd  in  state  S(s)  of  B.  and 

(2)  if  p  is  enabled  in  s,  then  p  is  inrhuh'd  in  A{.s.p). 
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Then  A  is  equitable  for  via  M. 

Proof:  Let  e  =  .soTTiS]  ...  be  a  fair  execntion  of  A.  Choose  i  >  0.  If  s,  G  D^,  we 
<u<‘  <lon<‘.  Suppo.se  .s,  G  i?,^.  By  ii..s.sumption,  />  is  enabled  in  .s^.  Since  c  is  fair,  tliere 
exists  j  >  i  such  that  either  tt,-  =  p,  in  which  case  ^(sj_i,7rj)  includes  <p,  or  else 
p  is  not  enabled  in  Sj,  in  which  case  is  not  enabled  in  S(sj).  Thus,  c  satisfies 
states{A)  {D^,X^).  □ 

The  second  method  uses  the  following  definition,  which  is  shown  in  Lemma  6 
to  imply  equitable. 

Definition:  Suppose  M  —  (5,>l)  is  an  abstraction  mapping  from  A  to  B.  If  p  is 
a  locally-controlled  action  of  B,  then  we  say  A  is  progressive  for  tp  via  M  if  there 
is  a  set  ^  of  pairs  (s,i/>)  of  states  s  of  d.  and  locally-controlled  actions  of  A,  and 
a  function  v  from  states{A)  to  a  well-founded  set  such  that  the  following  are  true. 

(1)  For  any  reachable  state  s  G  of  A,  some  action  0  is  enabled  in  s  such  that 
(s,  0)  is  in 

(2)  For  any  step  (s',7r,s)  of  .4,  where  s'  is  reachable  and  in  E^,  (s',7r)  ^  and 
s  G  .F(^< 

(a)  v(s)  <  v(s'), 

(b)  if  (s',7r)  G  4',  then  e(5)  <  t'(s'),  and 

(c)  if  ("S'lTr)  ^  4',  0  is  enabled  in  s',  and  (s',  0)  is  in  4',  then  0  is  enabled  in  .s 

and  (s,  0)  is  in  □ 

Lemma  6:  If  A  is  progressive  for  p  via  M,  then  A  is  equitable  for  p  via  M. 

Proof:  Let  M  =  (5,  A).  By  assumption,  p  is  a  locally-controlled  action  of  B.  and 
there  exist  'I'  and  v  satisfying  condiuons  (1)  and  (2)  in  tlv'  definition  of  “prog^'^®- 
sive’’ . 

Let  e  =  SoTTiSi  .  .  .  be  a  fair  execution  of  ,4.  Choose  i  >  0.  If  s,  G  we  are 
done.  Suppose  Si  G  E^.  Assume  in  contradiction  that  for  all  j  >  /,  (sj,  "Kj+i )  ^  A',- 
and  Sj  G  E^.  By  condition  (1).  there  is  an  action  0  enabled  in  s,  such  that  (si,0) 
is  in  4'.  By  condition  (2c).  as  long  as  (.Sj.  tt^+i)  ^  4'.  0  is  enabled  in  and 
(sj+1,0)  G  4*,  for  j  >  i.  Since  c  is  fair,  there  is  ?]  >  i  such  that  (is,,_i,7r,,  )  G  4'. 
By  conditions  (2a)  and  (2b),  c(s,,)  <  e(.s,).  Similarly,  we  can  show  that  there  is 
>2  >  ii  such  that  r(s,j)  <  r(.s„  ).  We  can  continue  this  indefinitely,  contradicting 
the  range  of  v  being  a  well-founded  set.  □ 
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The  next  lemma  demonstrates  a  third  technique  for  showing  that  A  is  equitable 
for  locally-controlled  action  <p  of  B,  in  a  situation  when  there  are  multiple  higher- 
level  algorithms.  The  main  idea  is  to  show  that  there  is  some  action  p  oi  D  that 
is  “similar”  to  (p  (cf.  conditions  (2)  and  (3))  such  that  C  is  progressive  for  p  using 
certain  helping  actions  (cf.  condition  (4)),  and  A  is  equitable  for  all  the  helping 
actions  for  p  (cf.  condition  (5)).  By  “similar”,  we  mean  that  if  p  is  enabled  in  the 
B-image  of  state  s  of  A,  then  p  is  enabled  in  the  D-image  of  the  C'-image  of  s\  and 
if  p  occurs  in  the  D-image  of  the  C-image  of  the  pair  (s',  tt),  then  p  occurs  in  the 
D-image  of  (s',7r).  Condition  (1)  is  needed  for  technical  reasons.  (For  convenience, 
we  define  abstraction  function  M.  applied  to  the  empty  sequence  to  be  the  empty 
sequence.  To  avoid  ambiguity,  we  add  the  superscript  AB  to  and  when 

they  are  defined  with  respect  to  the  abstraction  function  from  A  to  B.) 

Lemma  7:  Let  A,  B,  C  and  D  be  automata  such  that  Mab  =  {Sab-,-A.ab)  is  an 
abstraction  function  from  A  to  B,  and  similarly  for  Mac  and  M-cd-  Let  p  be  a 
locally-controlled  action  of  B.  Suppose  the  following  conditions  are  true. 

(1 )  Mac{^)  is  an  execution  of  C  for  every  execution  e  of  A. 

(2)  There  is  a  locally-controlled  action  p  of  D  such  that  for  any  reachable  state 

s  of  A,  if  s  e  then  Sac(s)  G  E^^. 

(3)  If  (s',7r,s)  is  a  step  of  A,  s'  is  reachable,  and  p  is  in  Mcd(Mac(^'^^)), 
then  p  is  in  Aab(s',^)- 

(4)  C  is  progressive  for  p  via  McDf  using  the  set  and  the  function  Vp. 

(5)  A  is  equitable  for  xj)  via  Mac,  for  all  actions  xp  of  C  such  that  {t,ip)  G 
for  some  state  t  of  C. 

Then  A  is  equitable  for  p  via  Mab- 

Proof:  Let  e  =  sottiSi  ...  be  a  fair  execution  of  A.  Let  A4/ic(e)  =  top\ti  . . ..  By 
assumption  (1),  is  a  reachable  state  of  C  for  all  m  >  0.  For  any  i  >  0,  define 
index{i)  to  be  m  such  that  M Aci^o'^i  •  •  •  s,)  =  topi  ■  ■  ■  tm- 

Choose  i  >  0.  If  .s,  G  we  are  done.  Suppose  ,s,  G  E^^ .  Assume  in 

contradiction  that  for  all  j  >  i,  {sj,njAi)  ^  and  Sj  G  E^'^.  Let  nr  =  indv.jfi). 

B)’  assumption  (2),  there  is  a  locally-controlled  action  p  of  D  such  that  t„  G 
for  all  n  >  m.  By  a.ssumption  (3),  {t„,p,iAi )  ^  X^^  for  all  n  >  m. 
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By  assumption  (4),  C  is  progressive  for  p  via  Mcd-,  using  set  ^ p  and  function 
Vp.  Thus,  there  is  a  locally-controlled  action  V’  of  C  enabled  in  5Ac('Si)  =  such 
that  V’)  ^  'J'p-  By  assumption  (5),  A  is  equitable  for  tp  via  Mac-  Since  r  is  fair 
and  s,  t  ,  by  Lemma.  3  tlu're  exists  ti  ;•  t  such  that  eitlier  (s,|_|,7r,|  )  c 
or  Sij  E  Let  mi  =  index(ii). 

Case  1:  G  .  Then  tt,,  )  includes  i/>.  Since  is 

reachable,  <„  G  and  (t„,v?„+i)  ^  for  all  n  >  m,  we  conclude  that 

Vp{tmi)  <  Vp{tm)-,  hy  parts  (2a)  and  (2b)  of  the  definition  of  “progressive’. 

Case  2:  si,  G  .  Since  is  reachable,  G  and  (<„,(^„4.i)  ^  X^^ 

for  all  n  >  m,  by  part  (2c)  of  the  definition  of  “  progressive”,  the  only  way  can 
go  from  enabled  in  tm  to  disabled  in  tmi  is  for  some  action  in  to  occur  between 
<Prn+\  ‘^mi-  By  part  (2b)  of  the  definition  of  “progressive”,  Vp{tmi)  <  Vp{tm)- 

Similai'ly,  we  can  show  that  there  exists  i2  >  i\  such  that  t;p(5.4c(st2))  < 
Vp(SAc(^ii))-  We  can  continue  this  indefinitely,  contradicting  the  range  of  Vp  being 
a  well-founded  set.  □ 

2.3  Satisfaction 

The  next  theorem  shows  that  our  definitions  of  simulate  and  equitable  are 
sufficient  for  showing  that  A  satisfies  B. 

Theorem  8;  If  A  simulates  B  via  Ai,  P  and  Q  and  if  A  is  equitable  for  B  via  A4, 
then  A  satisfies  B. 

Proof;  We  must  show  that  for  any  fair  execution  e  of  A,  there  is  a  fair  execution 
f  of  B  such  that  sched{e)\ext{A)  =  sched{f)\ext{B).  Given  e,  let  /  be  AI(e).  We 
verify  that  Af(e)  is  a  fair  execution  of  B  with  the  desired  property.  Lemma  1,  part 
(1),  implies  that  /  is  an  execution  of  B.  Choose  any  locally-controlled  action  (p  of 
B.  By  Lemma  3,  if  p  is  enabled  in  any  state  of  /,  then  subsequently  in  /.  either 
a  state  occurs  in  which  is  not  enabled,  or  y?  occurs.  Thus,  /  is  fair.  Finally, 
3cIied{e)\ext{A)  =  sched{f)\ext(B)  because  of  condition  (2)  in  the  definition  of 
“simulates” .  □ 

The  next  theorem  is  the  analog  of  Theorem  7  for  simultaneously  simulates. 

Theorem  9:  Let  I  be  an  index  set.  If  A  simultaneously  simulates  {ylr  '■  r  £  I]  via 
{Mr  :  r  E  I),  P  and  {Qr  :  r  G  /},  and  if  A  is  equitable  for  A,,  via  M,  for  some 
r  G  I,  then  A  satisfies  Ar- 
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3.  Problem  Statement 

We  define  the  minimum  spanning  tree  problem  as  an  external  schedule  module. 

For  the  rest  of  this  paper,  let  G  be  a  connected  undirected  graph,  with  at 
least  two  nodes  and  for  each  edge,  a  imique  weight  chosen  from  a  totally  ordered 
set.  Nodes  are  V{G)  and  edges  are  E{G).  For  each  edge  (p,  g)  in  E{G),  there  are 
two  links  (i.e.,  directed  edges),  {p,q)  and  (9,p}.  The  set  of  all  links  of  G  is  denoted 
L{G).  The  set  of  all  links  leaving  p  is  denoted  Lp(G).  The  weight  of  (p,  q)  is  denoted 
is  defined  to  be  wt(p,q)-,  zuid  wt(nil)  is  defined  to  be  jo. 

The  following  facts  about  minimum  spanning  trees  will  be  useful. 

Lemma  10:  (Property  2  in  [GHS])  The  minimum  spanning  tree  of  G  is  unique. 

Proof:  Suppose  in  contradiction  that  Tj  and  T2  are  both  minimum  spanning  trees 
of  G  and  Ti  ^  T2.  Let  e  be  the  minimum- weight  edge  that  is  in  one  of  the  trees 
but  not  both.  Without  loss  of  generality,  suppose  e  is  in  E(T\).  The  set  of  edges 
{e}  U  E{T2)  must  contain  a  cycle,  and  at  least  one  edge,  say  e',  of  this  cycle  is  not 
in  E{T\).  Since  e  ^  e'  and  e'  is  in  one  but  not  both  of  the  trees,  wt(e)  <  wt{e'). 
Thus  replacing  e'  with  e  in  E(T2)  yields  a  spanning  tree  of  G  with  smaller  weight 
than  T2,  contradicting  the  assumption.  □ 

Let  T{G)  be  the  (unique)  minimum  spanning  tree  of  G. 

An  external  edge  (p,  q)  of  subgraph  F  of  G  is  an  edge  of  G  such  that  p  G  V(F) 
and  q  ^  V{F). 

Lemma  11:  (Property  1  in  [GHS])  If  F  is  a  subgraph  of  T(G),  and  e  is  the 
minimum-weight  external  edge  of  F,  then  e  is  in  T(G). 

Proof:  Suppose  in  contradiction  that  e  is  not  in  T(G).  Then  a  cycle  is  formed  by 
e  together  with  some  subset  of  the  edges  of  T(G).  At  least  one  other  edge  e’  of  this 
cycle  is  also  an  external  edge  of  F.  By  choice  of  e,  iot{e)  <  wt(e').  Thus,  replacing 
e'  with  e  in  the  edge  set  of  T(G)  produces  a  spanning  tree  of  G  with  smaller  weight 
than  T{G),  which  is  a  contradiction.  □ 

The  MST(G)  problem  is  the  following  external  schedule  module.  Input  actions 
are  {Start(p)  :  p  G  V(G)].  Output  actions  are  {InTree{l),  NotInTree{l)  :  I  G 
L(G)].  Schedules  are  all  sequences  of  actions  such  that 

•  no  output  action  occurs  unless  an  injmt  action  occurs; 
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•  if  an  input  action  occurs,  then  exactly  one  output  action  occurs  for  each  I  G 
L{G)- 

•  if  InTree{{p, q))  occurs,  then  {p,q)  is  in  T{G):  and 

•  if  NoiInTree{{p,q))  occurs,  then  (p,  g)  is  not  in  T{G). 

4.  Proof  of  Correctness 

The  verification  of  Gallager,  Humblet  and  Spira’s  minimum-spanning  tree  al¬ 
gorithm  [GHS]  uses  several  automata,  arranged  into  a  lattice  as  in  Figure  2. 

HI 


COM 


GHS 


Figure  2;  The  Lattice 


Each  element  of  the  lattice  is  a  complete  aigorithm.  However,  the  level  of  detail 
in  which  the  actions  and  state  of  the  original  algorithm  are  represented  varies. 
Working  down  the  lattice  takes  us  from  a  description  of  the  algorithm  that  uses 
global  information  about  the  state  of  the  graph,  and  powerful,  atomic  actions,  to  a 
fully  distributed  algorithm,  in  which  each  node  can  only  access  its  local  variables, 
and  many  actions  are  needed  to  implement  a  single  higher  level  action.  A  brief 
overview  of  each  algorithm  is  given  below;  a  fuller  description  of  each  appears  later. 

HI  is  a  very  high-level  description  of  the  algorithm,  and  is  easily  shown  in 
Section  4.1  to  solve  the  MSTiG)  problem.  GHS  is  the  detailed  algorithm  from 
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[GHS].  We  show  a  path  in  the  lattice  from  GHS  to  HI,  where  each  automaton  in 
the  path  satisfies  the  automaton  above  it.  By  transitivity  of  satisfaction,  then  GHS 
will  have  been  shown  to  solve  MST(G). 

The  essential  feature  of  the  state  of  HI  is  a  set  of  subgraphs  of  G,  initially 
the  set  of  singleton  nodes  of  G.  Subgraphs  combine,  in  a  single  action,  along 
minimum-weight  external  edges,  until  only  one  subgraph,  the  minimum  spanning 
tree,  remains. 

The  COM  automaton  introduces  fragments,  each  of  which  corresponds  to  a 
subgraph  of  HI,  plus  extra  information  about  the  global  level  and  core  (or  identity) 
of  the  subgraph.  Two  ways  to  combine  fragments  are  distinguished,  merging  and 
absorbing,  and  two  milestones  that  a  fragment  must  reach  before  combining  are 
identified.  The  first  milestone  is  computing  the  minimum-weight  external  link  of 
the  fragment,  and  the  second  is  indicating  readiness  to  combine. 

The  GC  automaton  expands  on  the  process  of  finding  the  minimum-weight 
external  link  of  a  fragment,  by  introducing  for  each  fragment  a  set  testset  of  nodes 
that  are  participating  in  the  search.  Once  a  node  has  found  its  local  minimum- 
weight  external  link,  it  is  removed  from  the  testset. 

TAR  and  DC  expand  on  GC  in  complementary  ways.  DC  focuses  on  how  the 
nodes  of  a  fragment  cooperate  to  find  the  minimum- weight  external  link  of  the  whole 
fragment  in  a  distributed  fashion.  It  describes  the  flow  of  messages  throughout 
the  fragments:  first  a  broadcast  informs  nodes  that  they  should  find  their  local 
minimum-weight  external  links,  and  then  a  coavergecast  reports  the  results  back. 
In  contrast,  TAR  is  unconcerned  with  specifying  exactly  when  each  node  finds  its 
local  minimum- weight  external  link,  and  concentrates  on  the  details  of  the  protocol 
performed  by  a  node  to  find  this  link. 

NOT  is  a  refinement  of  COM  that  expands  on  the  method  by  which  the  global 
level  and  core  information  for  a  fragment  is  implemented  by  variables  local  to  each 
node.  Messages  attempt  to  notify  nodes  of  the  level  and  core  of  the  nodes’  current 
fragment. 

CON,  an  orthogonal  refinement  of  COM,  concentrates  on  how  messages  are 
used  to  implement  what  happens  between  the  time  the  minimum-weight  external 
link  of  an  entire  fragment  is  computed,  and  the  time  the  fragment  is  combined  with 
another  one. 
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Finally,  the  entire,  fully  distributed,  algorithm  is  represented  in  automaton 
GHS.  It  expands  on  and  unites  TAR,  DC,  NOT  and  CON. 

The  path  chosen  through  the  lattice  is  HI,  COM,  GC,  TAR,  GHS.  Why 
this  path?  Obviously,  GHS  must  be  shown  to  satisfy  one  of  TAR,  DC,  NOT 
and  CON.  However,  it  cannot  be  done  in  isolation;  that  is,  invariants  about  the 
other  three  are  necessary  to  show  that  GHS  satisfies  one.  (As  mentioned  in  Section 
2.1,  the  invariants  about  the  other  three  could  be  made  predicates  about  GHS, 
but  this  approach  does  not  take  advantage  of  abstraction.)  Thus,  we  show  that 
GHS  simultaneously  simulates  those  four  automata.  To  show  this,  however,  we 
need  to  verify  that  certain  predicates  really  are  invariants  for  the  four.  In  order  to 
do  this,  we  show  that  TAR  and  DC  (independently)  simulate  GC,  and  that  NOT 
and  CON  (independently)  simulate  COM.  Likewise,  in  order  to  show  these  facts, 
we  need  to  know  that  certain  predicates  are  invariants  of  GC  and  COM,  and  the 
way  we  do  that  is  to  show  that  GC  simulates  COM,  and  that  COM  simulates  HI. 
Thus,  it  is  necessary  to  show  safety  relationships  along  every  edge  in  the  lattice. 

The  liveness  relationships  only  need  to  be  shown  along  one  path  from  GHS  to 
HI.  After  inspecting  GHS  and  the  four  automata  directly  above  it,  we  decided  on 
pragmatic  grounds  that  it  would  be  easiest  to  show  that  GHS  is  equitable  for  TAR. 
One  consideration  was  that  the  output  actions  have  exactly  the  same  preconditions 
in  GHS  and  in  TAR,  and  thus  showing  GHS  is  equitable  for  those  actions  is  trivial. 
Once  TAR  was  chosen,  the  rest  of  the  path  was  fixed. 

First,  the  necessary  safety  properties  are  verified  in  Section  4.2.  We  show  that 
COM  simulates  HI  (Section  4.2.1),  that  GC  simulates  COM  (Section  4.2.2),  that 
TAR  simulates  GC  (Section  4.2.3),  that  DC  simulates  GC  (Section  4.2.4),  that 
NOT  simulates  COM  (Section  4.2.5),  that  CON  simulates  COM  (Section  4.2.6), 
and  that  GHS  simultaneously  simulates  TAi?,  DC,  NOT  and  CON  (Section  4.2.7). 

Section  4.3  contains  the  liveness  arguments.  To  show  the  desired  chain  of 
satisfaction,  we  show  that  COM  is  equitable  for  HI  (Section  4.3.1),  that  GC  is 
equitable  for  COM  (Section  4.3.2),  that  TAR  is  equitable  for  GC  (Section  4.3.3), 
and  that  GHS  is  equitable  for  TAR  (Section  4.3.6).  In  Section  4.3.6,  the  technique 
of  Lemma  7  is  used  in  several  places;  thus  we  need  to  show  that  DC  \s  progressive 
for  an  action  of  GC  (Section  4.3.4),  and  that  CON  is  progressive  for  several  actions 
of  COM  (Section  4.3.5). 

Section  4.4  puts  the  pieces  together  to  show  that  GHS  solves  MST{G). 
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4.1  HI  Solves  MST(G) 

The  main  feature  of  the  HI  state  is  the  data  structure  FST  (for  “forest”), 
which  consists  of  a  set  of  subgraphs  of  G,  partitioning  V{G).  The  idea  is  that 
the  subgraphs  of  G  are  connected  subgraphs  of  the  minimum  spanning  tree  T{G). 
Two  subgraphs  can  combine  if  the  minimum-weight  external  link  of  one  leads  to 
the  other.  The  awake  variable  is  used  to  make  sure  that  no  output  action  occurs 
unless  an  input  action  occurs.  The  answered  variables  are  used  to  ensure  that  at 
most  one  output  action  occurs  for  each  link.  InTree{{p,q))  can  only  occur  if  {p,q)  is 
already  in  a  subgraph,  or  is  the  minimum-weight  external  edge  of  a  subgraph  (i.e., 
is  destined  to  be  in  a  subgraph).  NotInTree{{p,q))  can  only  occur  if  p  and  q  are  in 
the  same  subgraph  but  the  edge  between  them  is  not. 

Define  automaton  HI  (for  “High  Level”)  as  follows. 

The  state  consists  of  a  set  FST  of  subgraphs  of  G,  a  Boolean  variable 
answered{l)  for  each  I  G  L(G),  and  a  Boolean  variable  awake. 

In  the  start  state  of  HI,  FST  is  the  set  of  single-node  graphs,  one  for  each 
p  G  k'(G),  every  answered{l)  is  false,  and  awake  is  false. 

Input  actions: 

•  Stari{p),  p  G  V{G) 

Effects: 

awake  :=  true 

Output  actions: 

•  InTree{{p,q)),  {p,q)  G  L{G) 

Preconditions: 
awake  =  true 

(p,  9)  G  F  or  [p,  q)  is  the  minimum-weight  external  edge  of  F, 
for  some  F  £  FST 
answered({p,q))  =  false 
Effects: 

answered{{p,q))  :=  true 

•  NotIvTr(:(-({p,q)),  {p,q)  G  L(G) 

Preconditions: 
awake  =  true 
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p,q  E  F  and  {p,q)  ^  F,  for  some  F  E  FST 
answered{{p,  q))  =  false 
Effects: 

answered{{p,q))  :=  true 
Internal  actions; 

•  Combine(F,  F' ,e),  F,F'  E  FST,  e  6  E(G) 

Preconditions: 
awake  =  true 
F^F' 

•'  is  an  external  edge  of  F 
e  is  the  minimum-weight  external  edge  of  F' 

Effects: 

FST  :=  FST  -  {F,F']  U  {F  U  F'  U  e} 

Define  the  following  predicates  on  states{H I).  (A  minimum  spanning  forest 
of  (j  is  a  set  of  disjoint  subgraphs  of  G  that  span  V{G)  and  form  a  subgraph  of  a 
minimum  spanning  tree  of  G.) 

•  HI-A:  Each  F  in  FST  is  connected. 

•  HI-B:  FST  is  a  minimum  spanning  forest  of  G. 

Let  Phi  —  HI-A  A  HI-B.  HI-B  implies  that  the  elements  of  FST  form  a  par¬ 
tition  of  V(G).  Lemma  10  and  HI-B  imply  that  FST  is  a  subgraph  of  T{G). 

Theorem  12:  HI  solves  the  MST{G)  problem,  and  Pm  is  true  in  every  reachable 
state  of  HI. 

Proof:  First  we  show  that  Phi  is  true  in  every  reachable  state  of  HI.  If  s  is  a 
start  state  of  HI,  then  Phi  is  obviously  true.  Suppose  (s',  tt,  s)  is  a  step  of  HI  and 
Phi  is  true  in  s'.  If  tt  ^  Combine( F,  F' ,  e),  then,  since  FST  is  unchanged.  Phi  is 
obviously  true  in  s  as  well. 

Suppose  TT  =  Combine(F,  F' By  the  precondition,  F  /  F',  e  is  the 
minimum- weight  external  edge  of  F',  and  e  is  an  external  edge  of  F  in  s'.  By 
HI-A,  F  and  F'  are  each  connected  in  s';  thus,  the  new  fragment  formed  in  s  by 
joining  F  and  F'  along  e  is  connected,  and  HI-A  is  true.  Since  by  HI-B  and  Lemma 
10,  F  and  F'  are  subgraphs  of  T[G),  and  since  by  Lemma  11  e  is  in  T{G),  the  new 
FST  is  a  minimum  spanning  forest  of  G,  :md  HI-B  is  true. 
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We  now  show  that  HI  solves  MST(G).  Let  e  be  a  fair  execution  of  HI.  The 
use  of  the  variable  awake  ensures  that  no  output  action  occurs  in  e  unless  an  input 
action  occurs  in  e.  The  use  of  the  variables  answered{l)  ensures  that  at  most  one 
output  action  occurs  in  e  for  each  link  1.  Suppose  InTree{{p,q))  occurs  in  e.  Then 
in  the  preceding  state,  either  (p,  q)  is  in  F  or  (p,  q)  is  the  minimum-weight  external 
edge  of  F,  for  some  F  G  FST.  By  HI-B  and  Lemmeis  10  and  11,  (p,q)  is  in  T{G). 
Suppose  NotInTree{{p.  q))  occurs  in  e.  Then  in  the  preceding  state,  p  and  q  are  in 
F  and  {p,q)  is  not  in  F,  for  some  F  G  FST.  By  HI- A,  there  is  path  from  p  to  </  in 
F.  By  HI-B  and  Lemma  10,  this  path  is  in  T[G).  Thus  [p,q)  ca.nnot  be  in  T(G), 
or  else  there  would  be  a  cycle. 

Suppose  an  input  action  occurs  in  e.  We  show  that  an  output  action  occurs  in 
(  for  each  link.  Let  e  =  So"iSi  . ...  Obviously,  ttj  is  an  input  action.  Only  a  finite 
number  of  output  actions  can  occur  in  e.  Choose  in  such  that  TTm  is  the  last  output 
action  occurring  in  e.  (Let  m  —  \  \i  there  is  no  output  action  in  e.)  It  is  easy  to 
see  that  Sm  —  s,  for  all  i  >  m.  Since  an  input  action  occurs  in  e  before  Smi  awake 
=  true  in  Sm-  IT'^T]  =  1  in  because  otherwise  some  Combine(F,  F' ,e')  action 
would  be  enabled  in  contradicting  e  being  fair.  Let  FST  —  {F}.  By  HI-A  and 
HI-B,  F  =  T{G)  in  Sm-  Furthermore,  answered{l)  is  true  in  for  each  /,  because 
otherwise  some  output  action  for  I  would  be  enabled  in  Sm,  contradicting  e  being 
fair.  Yet  the  only  way  answered(l)  can  be  true  in  Sm  is  if  an  output  action  for  I 
occurs  in  e.  □ 

4.2  Safety 

Each  algorithm  in  the  lattice  below  HI  is  presented  in  a  separate  subsection. 
Each  subsection  is  organized  as  follows.  First,  an  informal  description  of  the  algo¬ 
rithm  is  given,  together  with  a  discussion  of  any  particularly  interesting  aspects. 
Then  comes  a  description  of  the  state  of  the  automaton,  both  explicit  variables,  and 
derived  variables  (if  any).  A  derived  variable  is  a  variable  that  is  not  an  explicit 
element  of  the  state,  but  is  a  function  of  the  explicit  variables.  We  employ  the  con¬ 
vention  that  whenever  the  definition  of  a  derived  variable  is  not  unique  or  sensible, 
then  the  derived  variable  is  undefined.  The  actions  of  the  automaton  are  specified 
next.  Then  predicates  to  be  shown  invariant  for  this  automaton  are  listed.  The 
abstraction  mapping  to  be  used  for  simulating  the  higher-level  automaton  is  de¬ 
fined  next.  All  our  state  mappings  conform  to  the  nile  that  variables  with  the  same 
name  have  the  same  value  in  all  the  algorithms.  The  only  potential  problem  that 
might  arise  with  this  nile  is  if  a  derived  variable  is  mapped  to  an  explicit  variable, 
but  the  derived  variable  is  undefined.  Although  we  will  prove  that  this  situation 
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never  occurs  in  states  we  are  interested  in,  for  completeness  of  the  definition  of 
state  mapping  one  can  simply  choose  some  default  value  for  the  explicit  variahh;. 
Often  it  is  useful  to  derive  some  predicates  about  this  automaton’s  state  that  follow 
from  the  invariant  for  this  automaton  and  the  higher-level  one;  these  predicates 
are  true  of  any  state  of  this  automaton  satisfying  the  invariant  and  mapping  to  a 
reachable  state  of  the  higher-level  algorithm.  The  proof  of  simulation  completes  the 
subsection. 

4.2.1  COM  Simulates  HI 

The  COM  algorithm  still  takes  a  completely  global  view  of  the  algorithm, 
but  some  intermediate  steps  leading  to  combining  are  identified,  and  the  state  is 
expanded  to  include  extra  information  about  the  subgraphs.  The  COM  state  con¬ 
sists  of  a  set  of  fragments,  a  data  structure  used  throughout  the  rest  of  the  lattice. 
Each  fragment  /  has  associated  with  it  a  subgraph  of  G,  as  well  as  other  informa¬ 
tion:  level{f),  core(f),  minlink(f),  and  rootchanged{f).  Two  milestones  must  be 
reached  before  a  fragment  can  combine.  First,  the  ComputeMin{f)  action  causes 
the  minimum- weight  external  link  of  fragment  /  to  be  identified  as  minlink(f),  and 
second,  the  ChangeRoot{f)  action  indicates  that  fragment  /  is  ready  to  combine, 
by  setting  the  variable  rootchanged{f).  This  automaton  distinguishes  two  ways  that 
fragments  (and  hence,  their  associated  subgraphs)  can  combine.  The  Merge{f,g) 
action  causes  two  fragments,  /  and  g,  at  the  same  level  with  the  same  minimum- 
weight  external  edge,  to  combine;  the  new  fragment  has  a  higher  level  and  a  new 
core  (i.e.,  identifying  edge).  The  Absorb{f,g)  action  causes  a  fragment  g  to  be  en¬ 
gulfed  by  the  fragment  /  at  the  other  end  of  minlink{g),  provided  /  is  at  a  higher 
level  than  g. 

Define  automaton  COM  (for  “Common”)  as  follows. 

The  state  consists  of  a  set  fragments.  Each  element  /  of  the  set  is  called  a 
fragment,  and  has  the  following  components: 

•  subtree{f),  a  subgraph  of  G; 

•  core{f).  an  edge  of  G  or  nil-, 

•  level{f),  a  nonnegative  integer; 

•  minlink{f),  a  link  of  G  or  nil; 

•  rootchanged{f),  a  Boolean. 
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The  state  also  contains  Boolean  variables,  answered{l)  one  for  each  /  G  L{G).  and 
Boolean  variable  awake. 

In  the  start  state  of  COM,  fragments  has  one  element  for  each  node  in  V^(  G);  for 
fragment  /  corresponding  to  node  p,  subiree{f)  =  {p},  core(f)  =  nil,  level(f)  =  0. 
minlinkif)  is  the  minimum-weight  link  adjacent  to  p,  and  rootchanged{f)  is  false. 
Each  answered{l)  is  false  and  awake  is  false. 

Two  fragments  will  be  considered  the  same  if  either  they  have  the  same  single¬ 
node  subtree,  or  they  have  the  same  nonnil  core. 

We  define  the  following  derived  variables. 

•  For  node  p,  fragment[p)  is  the  element  f  of  fragments  such  that  p  is  in 
subtree{f). 

•  A  link  (p,  q)  is  an  external  link  of  p  and  of  fragment(p)  if  fragm.ent{p)  ^ 
fragment{q)\  otherwise  th<'  link  is  internal. 

•  If  minlinkif)  =  {p,q),  then  minedge{f)  is  the  edge  ip,q),  minn-deif)  =  p,  and 
rootif)  is  the  endpoint  of  cnre(f)  closest  to  p. 

•  If  (p,  q)  is  the  minimum- weight  external  link  of  fragment  /,  then  mw-minnode{f) 
=  p  and  mw-rootif)  is  the  endpoint  of  coreif)  closest  to  p. 

•  subtree(p)  is  all  nodes  and  edges  of  suhtree(fragment(p))  on  the  opposite  side 
of  p  from  core(fragment(p)). 

•  q  IS  a.  child  of  p  if  q  6  suhtree{p)  and  ip,q)  G  subtree{fragment{p)). 

Input  actions: 

•  Startip),  p  G  F(G) 

Effects: 

awake  :=  true 

Output  actions: 

•  InTreei{p,q)),  {ip,q)  e  L(G) 

Preconditions: 
awake  =  true 

{p,q)  G  subtreeifragmentip))  or  {p,  ?)  =  minlink{fragment{p)) 
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tmsv)ered{{]),(j))  =  false 
Effects: 

answered{{p,  q))  :=  true 

•  NotInTree{{p,q)),  {p,q)  F  L{G) 

Preconditions: 

fragmeniip)  =  fragmentyq)  and  (p>q)  ^  suhtree(fragmcnt(p)) 
answcred{{p,q))  -  false 
Effects: 

answF.red{{p,  q))  true 
Internal  actions: 

•  Compute Min{f),  f  G  fragments 

Preconditions: 
minlink{f)  =  nil 

I  is  the  mininium-vveight  external  link  of  / 
levelif)  <  levcl{fragment{target(l))) 

Effects: 

minlink(f)  :=  / 

•  ChangeRoot{f),  f  6  fragments 

Preconditions: 
awake  =  true 
rootc.hangcd{f)  —  false 
minlink{f)  ^  nil 
Effects: 

rootchanged{f)  :=  true 

•  Merge(f,g).  f.g  G  fragments 

Preconditions: 

rontcb.anged(  f)  =  rootc.lianged{g)  —  true 
minedge{f)  =  mine.dge{g) 

Effects: 

add  a  new  element  h  to  fragments 

sul}tree(h)  :=  subtreeff)  U  subtTcvfg)  U  minedgei  f ) 

core(h)  :=  minedgrf f) 

level(h)  :=  levrl{f)  f  1 

minlink{h)  :=  nil 
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rootchanged{h)  :=  false 
delete  /  and  g  from  fragments 

•  AbsoTb{f,g),  f,g  E  fragments 

Preconditions: 

rootchanged{g)  =  true 
level{g)  <  level{f) 
fragment{target{minlink{g)))  =  / 

Effects: 

subtree{f)  :=  subtree{f)  U  subtree{g)  U  minedge{g) 
delete  g  from  fragments 

Define  the  following  predicates  on  states  of  COM .  (All  free  variables  are  uni¬ 
versally  quantified.) 

•  COM- A:  If  minlink{f)  —  /,  then  /  is  the  minimum- weight  external  link  of  /, 
and  level{f)  <  level{fragment{target{l))). 

•  COM-B:  If  rootchanged{f)  =  true,  then  minlink{f)  ^  nil. 

•  COM-C;  If  awake  =  false,  then  minlink{J)  7^  nil,  rootchanged{f)  =  false,  and 
subtreeif)  =  {p}  for  some  p. 

•  COM-D:  If  /  7^  p,  then  suhiree{f)  7^  subtree{g). 

•  COM-E:  If  subtrce{f)  =  {p}  for  some  p,  then  mmlinuy  f )  7^  nil. 

•  COM-F:  If  \nodes{f)\  =  1,  then  level(f)  —  0  and  core{f)  —  nil;  if  \nodes(f)\  > 
1,  then  level{f)  >  0  and  core{f)  G  subtree{f). 

Let  PcoM  be  the  conjunction  of  COM-A  through  COM-F. 

In  order  to  show  that  COM  simulates  HI,  we  define  an  abstraction  mapping 
Ml  =  from  COM  to  HI.  Define  the  function  Si  fr 'm  states{COM)  to 

states{H I)  as  follows.  In  conformance  with  our  convention  (cf.  the  beginning  of 
Section  4.2),  the  values  of  awake  and  answered{l)  (for  all  1)  in  <Si(s)  are  the  same 
as  in  s.  The  value  of  FST  in  5t(s)  is  the  multiset  {subtree(f)  :  f  G  fragments} . 

Define  the  function  Mi  as  follows.  Let  s  lie  a  state  of  COM  and  7r  an  action 
of  COM  enabled  in  s. 

•  If  7r  =  Start{p),  InTree{l),  or  NotlnTrerfl).  then  M|(.s,7r)  =  tt. 
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•  If  TT  =  ComputeMin{f)  or  ChangeRooi{f),  then  >Ii(.s,7r)  is  empty. 

•  If  TT  =  Merge(f,g)  or  Absorb{f,g),  then  ^](5,7r)  =  CoTnbine{F,  F' ,  e).  where 
F  —  subtree{f)  in  d,  F'  =  subtree{g)  in  5,  and  e  =  minedge{g)  in  s. 

The  following  predicate  is  true  in  every  state  of  COM  satisfying  {Phi  o  S\)  f\ 
PcoM-  (I-6  )  it  is  deducible  from  PcoM  and  the  HI  predicates.) 

•  COM-G:  The  multiset  {subtree{f)  :  f  6  fragments]  forms  a  partition  of  V^(G), 
and  fragment{p)  is  well-defined. 

Proof:  Let  s  be  a  state  of  COM  satisfying  {Phi  o  Si)  h  PcoM-  In  5i(s),  FST  = 
{stibtree{f)  :  /  G  fragments] .  By  HI-B,  FST  forms  a  partition  of  V(G).  By  COM- 
D,  the  multiset  {3ubtree{f)  :  f  G  fragments]  =  FST,  and  thus  it  forms  a  partition 
of  V{G).  Consequently,  fragmeni(p)  is  well-defined.  □ 

Lemma  13:  COM  simulates  HI  via  M.\,  PcoM,  and  Phi- 

Proof:  By  inspection,  the  types  of  COM,  HI,  M.\  and  PcoM  are  correct.  By 
Theorem  12,  Phi  is  a  predicate  true  in  every  reachable  state  of  HI. 

(1)  Let  .s  be  in  start{COM).  Obviously,  PcoM  is  true  in  s,  and  Si{s)  is  in 
start{H  I). 

(2)  Obviously,  >li(s,  Tr)\ext{HI)  =  7r|ext(C0M)  for  any  state  $  of  A. 

(3)  Let  (s',  TT,  s)  be  a  step  of  COM  such  that  Phi  is  true  of  Si{s')  and  PcoM 
is  true  of  s'.  We  consider  each  possible  value  of  tt. 

i)  TT  is  Start(p),  InTree(I),  or  NotlnTree(l).  .4i(s',7r)  =  tt.  Obviously, 
PcoM  is  true  in  s,  and  Si{s')kSi{s)  is  an  execution  fragment  of  HI. 

ii)  TT  is  ComputeMin(f)  or  ChangeRoot(f).  >li(s',7r)  is  empty.  Obviously. 
<Si(s')  -  5i(s).  Obviously,  COM-A,  COM-B,  COM-D  and  COM-F  are  true  in 
By  COM-C  for  ComputeMin{f)  and  by  precondition  for  ChangeRoot{f),  awake  — 
true  in  s',  and  also  in  s;  thus,  COM-C  is  true  in  s. 

Obviously,  COM-E  is  true  in  s  for  any  fragment  /'  ^  f.  If  tt  =  ComputeMin{f), 
then  minlink{f)  ^  nil  in  s,  and  COM-E  is  vacuously  true  in  s  for  /.  If  tt  = 
ChangeRooi{f),  then  by  COM-B,  minlink{f)  nil  in  s'  and  also  in  s,  so  COM-E 
is  vacuously  true  in  s  for  /. 
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iii)  TT  is  Merge(f,g). 

(3c)  .4i(s',7r)  =  Combine{F,F',e),  where  F  =  subiree{f)  in  s\  F'  =  subtree{g) 
in  s',  and  e  =  minedge{g)  in  s',  for  some  fragments  f  and  g. 

Claims  about  s'; 

1-  /  7^  ??  by  precondition. 

2.  rooichanged{f)  =  rootchanged{g)  =  true,  by  precondition. 

3.  minedge(f)  =  minedge(g),  by  precondition. 

4.  awake  =  true,  by  Claim  2  and  COM-C. 

5.  minedge{f)  ^  nil  and  minedge(g)  ^  nil,  by  Claim  2  and  COM-B 

6.  minlink{f)  is  an  external  link  of  /,  by  COM-A  and  Claim  5. 

7.  minlink{g)  is  the  minimum-weight  external  link  of  g,  by  COM-A  and  Claim  5. 

Let  F  ~  subtree(f),  F'  =  subtree{g)  and  e  =  minedge{g). 

Claims  about  5i(s');  (All  depend  on  the  definition  of  Si.) 

8.  awake  =  true,  by  Claim  4. 

9.  F  ^  F',  by  Claim  1  and  COM-D. 

10.  e  is  an  external  edge  of  F,  by  Claims  3  and  6. 

11.  e  is  the  minimum- weight  external  edge  of  F',  by  Claim  7. 

By  Claims  8  through  11,  Combine{F,  F' ,  e)  is  enabled  in  5i(s').  Obviously,  its 
effects  are  mirrored  in  «Si(s). 

(3a)  More  claims  about  s'; 

12.  levelif)  >  0,  by  COM-F. 

13.  subtree(f')  and  subtree{g')  are  disjoint,  for  all  /'  ^  g’ ,  by  COM-G. 

Claims  about  s; 

14.  subtree{h)  =  subtree{f)  U  subtree{g)  U  minedge{f),  by  code. 

15.  core[h)  =  minedge[f),  by  code. 

16.  level(h)  =  level(f)  -f  1,  by  code. 

17.  minlink{h)  =  nil,  by  code. 

18.  Tootchanged{h)  =  false,  by  code. 

19.  f  and  g  are  removed  from  fragment,  by  code. 

20.  (Lwakr.  =  true,  Ijy  Claim  4. 

21.  subtree{f')  and  subtree(g')  are  disjoint,  for  all  /'  ^  g' ,  by  Claims  13,  14  and  19. 
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22.  \node3{h)\  >  1,  by  Claim  14. 

23.  level{h)  >  1,  by  Claims  12  and  16. 

24.  core{h)  G  subtree(h),  by  Claims  14  and  15. 

COM-A  is  vacuously  true  for  /^  by  Claim  17.  COM-B  is  vacuously  true  for  h 
by  Claim  18.  COM-C  is  vacuously  true  by  Claim  20.  COM-D  is  true  by  Claim  21. 
COM-E  is  vacuously  true  for  h  by  Claim  22.  COM-F  is  true  for  h  by  Claims  22,  23 
and  24. 

iv)  TT  is  Absorb(f,g). 

(3c)  >li(s',7r)  =  Combine(F,F' ,e),  where  F  ~  subtree{f)  in  s',  F'  =  subtree{g) 
in  s',  and  e  =  minedge(g)  in  s',  for  some  fragments  /  and  g. 

Claims  about  s 

1.  rootchanged{g)  =  true,  by  precondition. 

2.  level{g)  <  level(f),  by  precondition. 

3.  fragment{iargei{minlink{g)))  =  /,  by  precondition. 

4-  f  9i  by  Claim  2. 

5.  minlink(g)  is  an  external  link  of  /,  by  Claims  3  and  4. 

6.  minlink(g)  ^  nil,  by  Claim  3. 

7.  minlink{g)  is  the  minimum- weight  external  link  of  g,  by  Claim  6  and  COM-A. 

8.  awake  =  true,  by  Claim  1  and  COM-C. 

Let  F  —  subtree(f),  F'  =  subtree{g)  and  e  =  minedge{g). 

Claims  about  Si{s'):  (All  depend  on  the  definition  of  Si.) 

9.  awake  =  true,  by  Claim  8. 

10.  F  ^  F' ,  by  Claim  4  and  COM-D. 

11.  e  is  an  external  edge  of  F,  by  Claim  5. 

12.  e  is  the  minimum-weight  external  edge  of  F',  by  Claim  7. 

By  Claims  9  through  12,  Combine{F,  F' ,  e)  is  enabled  in  Si  (s').  Obviously,  its 
effects  are  mirrored  in  Si(s). 

(3a)  COM-A:  If  minlink{f)  =  nil  in  s',  then  the  same  is  true  in  s,  and  COM-A 
is  vacuously  true  for  /.  Suppose  minlink(f)  =  I  in  s'.  Let  f  =  fragment(target(l)). 


More  claims  about  .s'.- 
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13.  level{f)  <  levelif),  by  COM-A. 

14.  /'  ^  g,  by  Claims  2  and  13. 

15.  minedge{f)  ^  minedge{g),  by  Claim  14. 

16.  minlink{f)  is  the  minimum-weight  external  link  of  /,  by  COM-A. 

17.  If  e'  ^  minedge{g)  is  an  external  edge  of  g,  then  wt(e')  >  wt{minedge{f)).  Pf: 
wt{e')  >  wt{minedge(g))  by  Claim  7,  and  wt(minedge{g))  >  wt{minedge{f))  by 
Claims  5,  15  and  16. 

Since  minlink[f)  is  the  same  in  s  as  in  s',  Claims  16  and  17  imply  that  in  s, 
minlink(f)  is  the  minimum-weight  external  link  of  /.  The  only  fragment  whose  level 
changes  in  going  from  s'  to  s  is  g  (since  g  disappears).  Thus,  Claim  14  implies  that 
in  s,  level{f)  <  level{f').  Finally,  COM-A  is  true  in  s. 

The  next  claims  axe  used  to  verify  COM-B  through  COM-F. 

More  claims  about  s'  : 

18.  subtree(f')  and  subtree{g')  are  disjoint,  for  all  f  ^  g'^  by  COM-G. 

19.  level(g)  >  0,  by  COM-F. 

20.  level{f)  >  0,  by  Claims  2  and  19. 

21.  \nodes{f)\  >  1,  by  Claim  20  and  COM-F. 

22.  core{f)  G  subtree(f),  by  Claim  21  and  COM-F. 

Claims  about  s: 

23.  awake  =  true,  by  Claim  1. 

24.  subtree(f)  in  s  is  equal  to  subtree{f)  U  subtree{g)  U  minedge(g)  in  s',  by  code. 

25.  subtree^/')  and  subtree{g')  are  disjoint,  for  all  f  ^  g',  by  Claims  18  and  24. 

26.  \nodes{f)\  >  1,  by  Claims  21  and  24. 

27.  level{f)  >  0,  by  Claim  20. 

28.  core(f)  G  subtree^/),  by  Claims  22  and  24. 

COM-B  is  unaffected.  COM-C  is  vacuously  true  by  Claim  23.  COM-D  is  true 
by  Claim  25.  COM-E  is  vacuously  true  for  /  by  Claim  26.  COM-F  is  true  for  /  by 
Claims  26,  27  and  28.  □ 

Let  P'coM  =  (Phi  o  Si)  A  Pcom- 

Corollary  14:  P(  ()n,j  is  trur  in  <'vciy  rtwhiihlv  si;itc.  of  COM . 

Proof:  By  Lemmas  1  and  13.  □ 
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4.2.2  GC  Simulates  COM 

The  GC  automaton  expands  on  the  process  of  finding  the  minimum-weight 
external  link  of  a  fragment,  by  introducing  for  each  fragment  /  a  set  iestsei{f)  of 
nodes  that  are  participating  in  the  search.  Once  a  node  in  /  has  found  its  minimum- 
weight  external  link,  it  is  removed  from  testsei{f).  A  new  action,  TestNode{p),  is 
added,  by  which  a  node  p  atomically  finds  its  minimum-weight  external  link  — 
however,  the  fragment  at  the  other  end  of  the  link  cannot  be  at  a  lower  level  than 
p’s  fragment  in  order  for  this  action  to  occur.  The  new  variable  accmin(f)  (for 
“accumulated  minlink”)  stores  the  link  with  the  minimum  weight  over  all  links 
external  to  nodes  of  /  no  longer  in  iestset(f).  ComputeMin{f)  cannot  occur  imtii 
testsei{f)  is  empty.  When  an  Absorb{f,g)  action  occurs,  all  the  nodes  formerly  in 
g  are  i,  Jded  to  testsei{f)  if  and  only  if  the  target  of  minlink(g)  is  in  tcstset{f).  This 
version  of  the  algorithm  is  still  totally  global  in  approach. 

Define  automaton  GC  (for  “Global  ComputeMin”)  as  follows. 

The  state  consists  of  a  set  fragments.  Each  element  /  of  the  set  is  called  a 
fragment,  and  has  the  following  components: 

•  subtree{f),  a  subgraph  of  G; 

•  core{f),  an  edge  of  G  or  nil] 

•  level{f),  a  nonnegative  integer; 

•  minlink(f),  a  link  of  G  or  nil; 

•  rootchanged{f),  a  Boolean; 

•  testset{f),  a  subset  of  V(G);  and 

•  accmin{f),  a  link  of  G  or  nil. 

The  state  also  contains  Boolean  variables,  answered{l),  one  for  each  I  G  L{G),  and 
Boolean  variable  awake. 

In  the  start  state  of  COM,  fragments  has  one  element  for  each  node  in  F(G); 
for  fragment  /  corresponding  to  node  p,  subtreeff)  =  {p},  core(  f)  =  nil,  level(f)  = 
0,  minlink{f)  is  the  minimum-weight  link  adjacent  to  p,  rootchanged{f)  is  false, 
testset(f)  is  empty,  and  accmin{f)  is  nil.  Each  answered{l)  is  false  and  awake  is 
false. 
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Input  actions: 

•  Startup),  p  €  V{G) 

Effects: 

awake  :=  true 

Output  actions: 

•  InTree{{p,q)),  {p,q)  €  L{G) 

Preconditions: 
awake  =  true 

(Pi?)  ^  3uhtree(jTagm.eni(p))  or  {p-,q)  =  minlink(fragmeni(p)) 
answered({p,q))  =  false 
Effects: 

an3wered({p,  q))  :=  true 

•  NotInTree({p,q)),  {p,q)  G  L{G) 

Preconditions: 

fragment{p)  =  fragment{q)  and  {p,q)  ^  subtree{fragment{p)) 
an3wered({p,  q))  =  false 
Effects: 

an3wered{{p,  q))  :=  true 
Internal  actions: 

•  TestNode(p),  p  ^  V{G) 

Preconditions: 

—  let  /  =  fragment[p)  — 
p  G  te3t3et{f) 

if  {p,q),  the  minimum-weight  external  link  of  p,  exists 
then  level{f)  <  level{fragm.eni(q)) 

Effects: 

testset{f)  :=  te3t3et{f)  —  {p} 

if  {p,q)i  the  minimum-weight  external  link  of  p,  exists 
and  wt{p,q)  <  tvt{accmin{f)) 
then  accm.in{f)  {p,q) 

•  CompuieMinif),  f  G  fragvn.ents 

Pn'couditions: 
innilink(f)  —  nil 
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accmin{f)  ^  nil 
tesUet{f)  =  III 
Effects: 

minlink{f)  :=  accmin{f) 


accmin{f)  :=  nil 


•  ChangeRoo1(f)^  f  €  fragments 
Preconditions: 


awake  =  true 
rootchanged(f)  =  false 
minlink{f)  ^  nil 
Effects: 

rootchanged{f)  :=  true 


•  Merge{f,g),  f,g  E  fragments 
Preconditions: 
f  ^9 

rootchanged{f)  =  rootchanged{g)  =  true 
minedge{f)  =  minedgc{g)  7^ 

Effects: 

add  a  new  element  h  to  fragments 

suhtree{h)  ;=  subtree(f)  U  subtree{g)  U  minedge{f) 

core(h)  ;=  minedge{f) 

level{h)  ;=  leveJ(f)  +  1 

minlink{h)  :=  nil 

rootchanged{h)  :=  false 

testset[h)  :=  nodes{h) 

accmin[h)  :=  nil 

delete  /  and  g  from  fragments 


•  Absorb{f,g),  f,gE  fragments 
Preconditions: 

rootchanged{g)  =  true 
level(g)  <  level(f) 

—  let  p  =  target{minlink{g))  — 
fragment{p)  =  / 

Effects: 

snbtreeif)  :=  subtrte(f)  U  subtree{g)  U  minedge{g) 

if  p  G  testsetif)  then  testset{f)  :=  testset(f)  U  testset{g) 
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delete  g  from  fragments 

Define  the  following  predicates  on  the  states  of  GC.  (All  free  variables  are 
universally  quantified.) 

•  GC-A:  If  accmin{f)  =  (p,g},  then  {p,q)  is  the  minimum-weight  external  link 
of  any  node  in  nodes{f)  —  test3et(f),  and  level(f)  <  level(fTagment{q)). 

•  GC-B:  If  there  is  an  external  link  of  /,  if  minlink(f)  =  nil,  and  if  iestset(  f)  — 
0,  then  accmin(f)  ^  nil. 

•  GC-C:  If  testset{f)  ^  0,  then  minlink{f)  =  nil. 

Let  Pgc  =  GC-A  a  GC-B  A  GC-C. 

In  order  to  show  that  GC  simulates  COM,  we  define  an  abstraction  mapping 
M2  =  (‘?2)-^2)  from  GC  to  COM.  Define  the  function  ^2  from  states{GC)  to 
states{COM)  by  simply  ignoring  the  variables  accmin(f)  and  testset{f)  for  all 
fragments  /  when  going  from  a  state  of  GC  to  a  state  of  COM. 

Define  the  function  ,42  as  follows.  Let  s  be  a  state  of  GC  and  tt  an  action  of  GC 
enabled  in  s.  If  tt  =  TestNode(p),  then  A2(s,7r)  is  empty.  Otherwise,  .A2(s,7r)  =  tt. 

Recall  that  P'cqm  =  0  Si)  A  PcoM-  K  ■Pcom(‘^2(5))  is  true,  then  the 

COM  predicates  are  true  in  52(s),  and  the  HI  predicates  are  true  in  5i(52(s)). 

Lemma  15;  GC  simulates  COM  via  Mz,  Pgc^  mid  P'com- 

Proof:  By  inspection,  the  types  of  GC,  COM,  Mz,  and  Pgc  m:e  correct.  By 
Corollary  14,  P'coM  ^  predicate  true  in  every  reachable  state  of  COM. 

(1)  Let  s  be  in  start{GC).  Obviously,  Pgc  is  true  in  s,  and  Szis)  is  in 
siart(COM). 

(2)  Obviously,  Az{-^,'^)\cxt{COM)  —  K\ext{GC). 

(3)  Let  (s',7r,s)  be  a  step  of  GC  such  that  P'com  i®  true  of  <^2(5')  and  Pgc  is 
true  of  s' . 

i)  TT  is  Start(p),  IitTree{l),  NotliiTree(l),  or  ChangeRoot(f).  Oliviously, 
Szis' )ttSz(s)  is  an  execution  fragment  of  COM,  and  Pgc  is  true  in  .s. 

ii)  TT  is  ComputeMin(f). 
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(3a)  Obviously,  Pgc  is  still  tru('  in  s  for  any  /'  ^  /.  GC-A  is  vacuously  true 
for  /  in  s,  since  accmin{f)  is  set  to  nil.  GC-B  is  vacuously  true  for  /  in  s,  since 


minlink{f)  ^  nil.  By  COM-C,  awake  =  true  in  52(s')  and  thus  in  s';  the  same  is 
true  in  s,  so  GC-C(a)  is  true  in  s  for  /.  GC-C(b)  is  vacuously  true  for  /  in  s,  since 
iestset(f)  —  0. 

(3c)  A2{s',  TT)  =  TT. 

Claims  about  s' : 

1.  testset{f)  =  0,  by  precondition. 

2.  accmin(f)  7^  nil,  by  precondition. 

3.  levelif)  <  level{fTagment{targetiaccmin(  f)))),  by  Claim  2  and  GC-A. 

4.  accmin{f)  is  the  minimum-weight  external  link  of  /,  by  Claim  2,  GC-A,  and 
Claim  1. 

5.  level(f)  <  level(fragment{target(l))),  where  /  is  the  minimum-weight  external 
link  of  /,  by  Claims  3  and  4. 

Using  Claim  5,  it  is  easy  to  see  that  <S2(s')7r«S2(s)  is  an  execution  fragment  of 

COM. 

iii)  TT  is  TestNode(p). 

(3a)  Obviously,  Par  is  still  true  in  s  for  any  /'  7^  /.  Inspecting  the  code  verifies 
that  GC-A  and  GC-B  are  still  true  in  s  for  /  as  well.  By  GC-C(b),  minlink{f)  =  nil 
in  s']  GC-C  is  true  for  f  in  s  because  minlink{  f)  is  not  changed. 

(3b)  .42(s',7r)  is  empty,  and  obviously  52('‘‘*)  =  ‘52(s). 

iv)  TT  is  Merge(f,g). 

(3a)  Obviously,  Pgc  is  still  true  in  .>  for  any  /'  other  than  /  and  g.  GC-A  is 
vacuously  true  in  s  for  h,  since  accrnin{h)  =  nil.  GC-B  is  vacuously  true  in  .s  for 
h,  since  iests€t(h)  7^  0.  GC-C  is  true  in  s  for  h  .since  Tninlink(h)  =  nil. 

(3c)  A2is' .  tt)  =  TT.  Obviously,  S2{s')nS2{-s)  is  an  execution  fragment  of  COM. 

v)  TT  is  Absorb(f,g). 

(3a)  Obviously,  Pgc  is  still  true  in  s  for  any  /'  other  than  /  and  g. 

In  going  from  s'  to  s,  testset(  f)  is  eithc'r  empty  in  both  or  non-empty  in  both, 
minlink{f)  remain.^  the  same,  and  the  truth  of  the  eAi.jtence  of  an  external  link  of 
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f  either  stays  true  or  goes  from  true  to  false.  Thus  GC-B  and  GC-C  are  true  in  s 
for  /. 

We  now  deal  with  GC-A.  If  accmiv(f)  =  nil  in  s',  then  the  same  is  true  in  s, 
so  GC-A  is  vacuously  true  for  /  in  s. 

Assume  accmin{f)  =  (r,t).  Let  minlink[g)  =  {q-,p)- 

Claims  about  s 

1.  level{g)  <  level{f),  by  precondition. 

2.  fragment{p)  =  /,  by  precondition. 

3.  level(f)  <  level(fragmeni(t)),  by  GC-A. 

4.  fragment{t)  ^  g,  by  Claims  1  and  3. 

5.  (5,p}  ^  (^1^))  by  Claim  4  and  COM- A. 

6.  wi{q,p)  <  wt(l),  for  any  /  {q,p)  that  is  an  external  link  of  g,  by  COM-A. 

7.  If  p  ^  tesiset{f),  then  <  wt{q,p),  by  Claim  5  and  GC-A. 

8.  If  p  ^  testset{f),  then  wt{r,t)  <  tot{l),  for  any  I  that  is  an  external  link  of  g,  by 
Claims  6  and  7. 

If  p  ^  testsetif)  in  s',  then  any  node  p'  £  nodes(f)  is  not  in  iestset(f)  in  s 
exactly  if,  in  s',  p'  is  either  in  nodes{f)—  iestsei{f)  or  in  nodes{g).  Claim  8  implies 
that  in  s,  (r,t)  is  still  the  minimum-weight  external  link  of  any  node  in  /  that  is 
not  in  iesisei{f). 

If  p  G  testset{f)  in  s',  then  any  node  p'  G  nodes{f)  is  not  in  testset{f)  in  s 
exactly  if  p'  is  in  nodes{f)—  t€3tset{f)  in  s'.  Thus  in  s,  (c,t)  is  still  the  minimum- 
weight  external  link  of  any  node  in  /  that  is  not  in  tests 

Since  g  is  the  only  fragment  who,se  le  vel  changes  in  going  from  s'  to  s,  Claim  4 
implies  that  level{f)  <  level{fTagment(t))  in  s.  Thus,  since  accm.in{ f)  =  {?’,<)  in  s. 
GC-A  is  true  in  s  for  /. 

(3c)  M2(s,7r)  =  7r.  Obviously  <S2(s')7r«S‘2{s)  is  an  execution  fragment  of 

COM.  0 

Let  P^c’  —  (PcoM  0  <^2 )  A  Pgc- 
Corollary  16:  P^c  is  fi  ne  in  rvriy  rcnclinhlc  staU'  of  GC. 


Proof:  By  Lemmas  1  and  15. 


□ 
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4.2.3  TAR  Simulates  GC 

This  automaton  expands  on  the  method  hy  which  a  node  finds  its  local 
minimum- weight  external  link.  Some  local  information  is  introduced  in  this  ver¬ 
sion,  in  the  form  of  node  variables  and  messages.  Three  FIFO  message  queues  are 
associated  with  each  link  {p,q):  tarqueuep{{p,fj)),  the  outgoing  queue  local  to  p; 
tarqueuepq{{p,q)),  modelling  the  communication  channel;  and  tarqueueq{{p,  q)),  the 
incoming  queue  local  to  q.  The  action  ChannelSend{l,  m)  transfers  a  message  m 
from  the  outgoing  local  queue  of  link  I  to  the  communication  channel  of  1;  and  the 
action  ChannelRecv{l,m)  transfers  a  message  m  from  the  communication  channel 
of  link  I  to  the  incoming  local  queue  of  /. 

Each  link  I  is  classified  by  the  variable  lstatus{l)  as  branch,  rejected,  or  un¬ 
known.  Branch  means  the  link  will  definitely  be  in  the  minimum  spanning  tree; 
rejected  means  it  definitely  will  not  be;  and  unknown  means  that  the  link’s  status 
is  currently  unknown.  Initially,  all  the  links  are  unknown. 

The  search  for  node  p’s  minimum-weight  external  link  is  initiated  by  the  ac¬ 
tion  SendTest{p),  which  causes  p  to  identify  its  minimum-weight  unknown  link  as 
iesilink{p),  and  to  send  a  test  message  over  its  testlink  together  with  information 
about  the  level  and  core  (identity)  of  p’s  fragment.  If  the  level  of  the  recipient 
q’fi  fragment  is  less  than  p’s,  the  message  is  requeued  at  q,  to  be  dealt  with  later 
(when  q's  level  has  increased  sufficiently).  Otherwise,  a  response  is  sent  back.  If 
the  fragments  are  different,  the  response  is  an  accept  message,  otherwise,  it  is  » 
REJECT  message.  .4.n  optimization  is  that  if  q  has  already  sent  a  test  message  over 
the  same  edge  and  is  waiting  for  a  response,  and  if  p  and  q  are  in  the  same  fragment, 
then  q  does  not  respond  —  the  TEST  message  that  q  already  sent  will  inform  p  that 
the  edge  (p,q)  is  not  external. 

When  a  REJECT  messagi’  (or  a  TEST  in  the  optimized  case  described  above)  is 
received,  the  recipient  marks  that  link  as  rejected,  if  it  is  unknown.  It  is  possible 
that  the  link  is  already  marked  as  branch,  in  which  case  it  should  not  be  changed 
to  rejected. 

When  a  ChangeRoot{  f)  occurs,  m.tnlink(  f)  is  marked  as  branch;  when  an 
Absorbif.g)  occurs,  the  reverse  link  of  minli7i.k{g)  is  marked  as  branch.  As  soon  as 
a  link  /  is  classified  as  branch,  the  InTree(l)  outimt  action  can  occur;  as  soon  as  a 
link  /  is  classified  as  rejected,  the  NoiInTree{l)  output  action  can  occur. 

The  requeuing  of  a  message  is  a  delicate  aspect  of  this  (as  well  as  the  original) 
algorithm.  When  p  receives  a  message  th:it  it  is  not  yet  ready  to  handle,  it  cannot 
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simply  block  receiving  any  more  messages  on  that  link,  but  instead  it  must  allow 
other  messages  to  jump  over  that  message,  as  the  following  example  shows.  Suppose 
p  is  in  a  fragment  at  level  3,  5  is  in  a  fragment  at  level  4,  p  sends  a  test  message 
to  q  with  parameter  3,  and  before  it  is  received,  q  sends  a  test  message  to  p  with 
parameter  4.  When  p  receives  q's  test  message,  it  is  not  ready  to  handle  it.  When 
q  receives  p’s  test  message,  it  sends  back  an  accept  message.  In  order  to  prevent 
deadlock,  p  must  be  able  to  receive  this  accept  message,  even  though  it  was  sent 
after  the  test  message.  Thus,  the  correctness  of  the  algorithm  depends  on  a  subtle 
interplay  between  FIFO  behavior,  and  occasional,  well-defined,  exceptions  to  it. 

The  following  scenario  demonstrates  the  necessity  of  checking  that  lstatus{l)  is 
unknown  before  changing  it  to  rejected,  when  a  test  or  reject  is  received.  (The 
reason  for  the  check,  which  also  appears  the  full  algorithm,  is  not  explained  in 
[GHS].)  Suppose  p  is  in  fragment  /  with  level  8  and  core  c,  q  is  in  fragment  g  with 
level  4  and  core  d,  and  {q,p)  is  the  minimum- weight  external  link  of  g.  First,  q 
determines  that  (q,p)  is  its  local  minimum- weight  external  link.  Then  p  sends  a 
TEST(8,  c)  message  to  p,  which  is  requeued,  since  8  >  4.  Eventually,  ComputeMin{g) 
occurs,  and  minlink{g)  is  set  equal  to  {q,p)-  Then  ChangcRoot{g)  occurs,  and  {q,p) 
is  marked  as  branch.  Then  Absorb{f,g)  occurs,  and  (p,  q)  is  marked  as  branch.  The 
next  time  that  q  tries  to  process  p’s  test(8,  d)  message,  it  succeeds,  determines  that 
{q,p)  is  not  external,  since  d  is  the  core  of  q's  fragment,  and  sends  reject  to  q.  But 
q  had  better  not  change  the  classification  of  (q^p)  from  branch  to  rejected.  Similarly, 
when  p  receives  q's  REJECT  message,  it  had  better  not  change  the  classification  of 
(p,  q)  from  branch  to  rejected. 

Define  automaton  TAR  (for  “Test-Accept-Reject”)  as  follows. 

The  state  consists  of  a  set  fragments.  Each  element  /  of  the  set  is  called  a 
fragment,  and  has  the  following  components: 

•  subtree(f  ),  a  subgrapl  oi  G; 

•  core(f),  an  edge  of  G  or  nil-, 

•  level{f),  a  nonnegative  integer; 

•  minlink(f),  a  link  of  G  or  iiii, 

•  rootclianged(f),  a  Boolean;  and 

•  a  subset  of  V(G). 
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For  each  node  p,  there  is  a  variable  testlinkij)),  which  is  either  a  link  of  G  or  nil. 
For  each  link  {p,q),  there  are  associated  four  variables: 

•  l3taUis{{p,  q)),  which  takes  on  the  values  '‘unknown”,  “branch”  and  “reji'cted” : 

•  tarq^ieuep{{p,  ?)),  a  FIFO  queue  of  messages  from  p  to  q  waiting  at  p  to  be  sent; 

•  tarqueuepg{{p.,q)).,  a  FIFO  queue  of  messages  from  p  to  q  that  are  in  the  com- 
mimication  channel;  and 

•  tarqueueq{{p,q)),  a  FIFO  queue  of  messages  from  p  to  q  waiting  at  q  to  be 
processed. 

The  set  of  possible  messages  M  is  {test(/,c)  :  /  >  0,c  6  EiG)}  U  {accept, 
reject}. 

The  state  also  contains  Boolean  variables,  ansv)ered{l),  one  for  each  I  £  L(G), 
and  Boolean  variable  awake. 

In  the  start  state  of  TAR,  fragments  has  one  element  for  each  node  in  V'(G);  for 
fragment  /  corresponding  to  node  p,  subtree(f)  =  (p),  core{f)  =  nil,  level(f)  =  0. 
minlink{f)  is  the  minimum- weight  link  adjacent  to  p,  rootchanged{f)  is  false,  and 
iestsetff)  is  empty.  For  all  p,  testlink{p)  is  nil.  For  each  link  /,  lstatus{l)  =  unknown. 
The  message  queues  are  empty.  Each  answered(l)  is  false  and  awake  is  false. 

The  derived  variable  tarqueue{{p,q))  is  do'fined  to  be  tarqueuep{{p,q))  ||  tar- 
queuepg{{p,q))  ||  tarqueueg{{p,q)).  ^ 

The  derived  variable  accmin(f)  is  defined  as  follows.  If  minlink{f)  ^  nil,  or 
if  there  is  no  external  link  of  any  p  £  nodes(f)  -  testset{f),  then  accmin(f)  =  nil. 
Otherwise,  accmin{f)  is  the  minimum-weight  external  link  of  all  p  £  node.<!{f)  - 
testset(f). 

Input  actions: 

•  Startup),  p  £  V{G) 

Effects: 

'  Given  two  FIFO  (jueues  qi  and  q2,  define  qi\\q2  to  be  the  FIFO  queue  obtained 
by  appending  q2  to  the  end  of  qi.  Obviously  this  operation  is  associative. 
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awake  :=  true 
Output  actions: 

•  InTree{{p,q)),  {p,q)  G  1(G) 

Preconditions: 

lsiatus({p,q))  =  branch 
answered{{p,q))  =  false 
Effects: 

answered{{p,  q))  :=  true 

•  NotInTree{{p,q)),  {p^q)  E  L{G) 

Preconditions: 

lstatu3({p,q))  =  rejected 
answered{{p,q))  =  false 
Effects: 

answered{{p,q))  :=  true 
Internal  actions  ^^and  a  procedure): 

•  Channels end({p,q),m),  {p.,q)  G  L(G),  m  E  M 

Preconditions: 

m  at  head  of  tarqueuep{{p,q)} 

Effects: 

deqaeue{iarqueue p{{p,  q))) 
enqueue(m,  tarqueuep^{{p,  q))) 

•  ChannelRecv{{p,q),m),  {p,q)  G  L{G),  m  E  M 

Preconditions: 

m  at  head  of  iarqueuepg{{p,q)) 

Effects: 

dequeue(  tarqueue  ( (p,  q) ) ) 
enqueue(?n.  tarqueue^(  (p,  q))) 

•  SendTest{p),  p  E  V{G) 

Preconditions: 

pG  te3tset{fragnient{p)) 
testlinkip)  —  nil 
Effects: 

execute  procedure  Test(p) 
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•  Procedure  Te3t{p),  p  G  V{G) 

—  let  /  =  fragmc.nt{p)  — 

if  I,  the  minimum-weight  link  of  p  with  lstatus{l)  =  unknown,  exists  then 
testlink{p)  :=  / 

enqueue(TEST(/ei;e/(/),  core{f}),  tarqueue  ^{l))  ] 
else  [ 

remove  p  from  iestsei{f) 
testlink(p)  :—  nil  ] 


ReceiveTesi{{q,p),l,c),  {p.,q)  €  L(G) 

Preconditions; 

TESt(/,c)  at  head  of  iarqueuep({q, p)) 

Effects: 

dequeue(  tarqueue.p({q,p) ) ) 
if  /  >  level{fragment(p])  then 

enqueue(TEST(/,  c),tarqueuep{  {q,  p))) 
else 

if  c  core{fragment{p))  then 

enqueue( ACCEPT,  tarqueuep{{p,  </))) 
else  [ 

if  lstatus{{p,q))  =  unknown  then  lstaius({p,q))  : 
if  testlink(p)  ^  {p,  q)  then 

enqueue(REJECT,targMewe^,({p,  <7))) 
else  execute  procedure  Test(p)  ] 


=  rejected 


•  ReceiveAccept{{q,p)),  {q,p)  G  L{G) 
Preconditions: 

ACCEPT  at  head  of  taTqueuep{{q, p)) 
Effects; 

dequeue(  tarqutuep{  {q,  p) ) ) 
testlink{p)  :=  nil 

remove  p  from  testset{fragment{p)) 


•  Receive Reject{{q,p)),  {q,p)  G  L(G) 
Preconditions: 


REJECT  at  head  of  tarqueuep{{q,p)) 

Effects; 

dequeue!  tarqueuc.p{  {q,p))) 

if  lstatus{{p,q))  =  unknown  then  lstatiis{{p,q))  : 


=  rejected 
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execute  procedure  Test{p) 

ComputeMin{f)^  f  £  fragments 
Preconditions: 
minlink{f)  =  nil 
accmin{f)  ^  nil 
tests  et{f)  =  0 
Effects: 

minlink(f)  accmin{f) 

ChangeRootff),  f  G  fragments 
Preconditions: 
awake  =  true 
rootchanged{f)  =  false 
minlink{f)  ^  nil 
Effects: 

rootchanged(f)  :=  true 
lstatus{minlink{f))  :=  branch 

Merge{f,g),  f,g  e  fragments 
Preconditions: 
f  1^9 

rootchanged{f)  =  rootchanged{g)  =  true 
minedge{f)  —  minedge{g) 

Effects; 

add  a  new  element  h  to  fragments 

subtree{h)  :=  subtree{f)  U  subtree{g)  U  minedge{f) 

core{h)  ;=  minedge{f) 

level{h)  :=  level{f)  +  1 

minlink{h)  :=  nil 

rootchanged{h)  :=  false 

testset{h)  :=  nodes{h) 

delete  /  and  g  from  fragments 

t  Absorb{f,g),  f,gE:  fragments 
Preconditions; 

rootchanged{g)  =  true 
lcvel{g)  <  level(f) 

lot  {q.p)  —  minlink(g) 
fragment{p)  =  / 
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Effects: 

xubtTee{f)  :=  subtree{f)  U  subtree(g)  U  minv.dge^g) 
if  p  E  te$tset{f)  then  tc»tset(f)  teMsct{f)  U  no(le.'<(g) 
lstatus{{p,q))  :=  branch 
delete  g  from  fragments 

A  message  m  is  defined  to  be  a  protocol  message  for  link  (p,  q)  in  a  state  if  m 
is  one  of  the  following: 

(a)  a  TEST  message  in  tarqueue({p,q))  with  lstatus{{p,  q))  ^  rejected. 

(b)  an  ACCEPT  message  in  tarqueue{(q,p)) 

(c)  a  REJECT  message  in  tarqueue{{q^p)) 

(d)  a  TEST  message  in  tarqueue({q,p))  with  lstatus{{q,p))  =  rejected. 

A  protocol  message  for  (p,  q)  can  be  considered  a  message  that  is  actively  helping 
p  to  discover  whether  (p,  q)  is  external. 

Define  the  following  predicates  on  states  of  TAR.  (All  free  variables  are  uni¬ 
versally  quantified.) 

•  TAR-A: 

(a)  If  lstatus{{p,  q))  =  branch,  then  either  (p,  9)  €  subtree{fragment{p))  or  min- 
link  {fragment(p))  —  {p,q). 

(b)  If  {p,q)  6  subtree{fragment{p)),  then  lstatus{{p,  q))  =  lstatus({q,p))  = 
branch. 

•  TAR-B:  If  lstatus{{p,q))  =  rejected,  then  fragment{p)  =  fragment{q)  and 
{p,q)  ^  subtree{fragment{p)). 

•  TAR-C:  If  testlink{p)  ^  nil,  then 

(a)  testlink{p)  =  (p,  q)  for  some  q\ 

(b)  p  G  testset{fragment{p)); 

(c)  there  is  exactly  one  protocol  message  for  (p,  q)-, 

(d)  if  lstatus({p,q))  ^  branch,  then  {p.q)  is  the  minimum- weight  link  of  p  with 
Istatus  unknown; 

(e)  if  lstatus{{p,q))  =  branch,  then  lstaius{{q,p))  =  branch  and  testlink{q)  ^ 

{(1,P)- 

•  TAR-D:  If  there  is  a  protocol  message  for  {p,q),  then  testlink(p)  =  {i),q}. 

•  TAR-E:  If  test(/,c)  is  in  tarqueue{{p,q))  then 
(a)  {p,q)  ^  core{fragm,r.nt{p))- 
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(b)  if  lstatus{{p,q))  ^  rejected,  then  c  =  core{fragment{p))  and  I  =  level{frag- 
ment{p))\  and 

(c)  if  lstatu3{{p,q))  =  rejected,  then  c  =  coreifragment{q))  and  I  =  level(frag- 
ment{q)). 

•  TAR-F:  If  ACCEPT  is  in  tarqueue{{p,q)),  then  fragment{p)  ^  fragmeni{q)  and 
level  {fragment{p))  >  level{fragment{q)). 

•  TAR-G:  If  REJECT  is  in  tarqueue{{p,q)),  then  fragment{p)  =  fragment{q)  and 
hiatus  {{p,q}}  ^  unknown. 

•  TAR-H:  rootchanged(f)  is  true  if  and  only  if  lstatus(miTilink{f))  =  branch. 

•  TAR-I:  If  p  ^  tests ei{fragment{p)),  then  either  no  {p,q)  has  htatus{{p,q))  = 
unknown,  or  else  there  is  an  external  link  {r,  t)  of  fragment^p)  with  level{frag- 
ment(p))  <  level(jTagment{t)) . 

•  TAR-J:  If  awake  =  false,  then  lstaius({p, q))  =  unknown. 

Let  Ptar  be  the  conjunction  of  TAR- A  through  TAR-J. 

In  order  to  show  that  TAR  simulates  GC,  we  define  an  abstraction  mapping 
Ms  =  (53,^3)  from  TAR  to  GC.  Define  the  function  Ss  from  state${TAR)  to 
states{GC)  by  ignoring  the  message  queues,  and  the  testlink  and  hiatus  variables. 
The  derived  variables  acemin  of  TAR  map  to  the  (non-derived)  variables  acemin  of 
GC.  Define  the  function  As  as  follows.  Let  s  be  a  state  of  TAR  and  tt  an  action 
of  TAR  enabled  in  s.  The  GC  action  TestNode{jp)  is  simulated  in  TAR  when  p 
receives  the  message  that  tells  p  either  that  this  link  is  external  or  that  p  has  no 
external  links. 

•  If  TT  =  ReceiveAccept{{q,p)),  then  Ai(s,7r)  =  TestNode{p). 

•  If  TT  =  SendTest(p)  or  ReceiveReject{{q,p)),  then  A3(s,7r)  =  TestNode{p)  if 
there  is  no  link  {p,r),  t  ^  q,  with  htaius{{p,r))  =  unknown  in  s;  otherwise, 
Asis,n)  is  empty. 

•  If  TT  =  ReceiveTest{{q,p),l,c),  then  A3(s,7r)  =  TestNode(p)  if  I  <  level(frag- 
ment{p)),  c  =  core{fragment{p)),  testlink(p)  =  {p,q)^  and  there  is  no  link  (p,  r), 
r  q,  with  htatu.s{{j),T))  =  unknown  in  s;  otherwise,  A3(s,7r)  is  empty. 

•  If  TT  =  Channels end{{p,q),m)  or  ChannelRecv{{p,q),m),  then  A3(s,7r)  is 
empty. 
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For  all  other  values  of  tt,  ^3(s,7r)  =  tt. 


The  following  predicates  are  true  in  every  state  of  TAR  satisfying  {P('c.oS-i)  /\ 
RtaR-  R.ecall  that  =  {Pcqm  °  <^2)  A  Por:-  If  PccA^-ii^))  true,  then  tlic 
GC  predicates  are  true  in  53(s),  the  COM  predicates  are  true  in  52(53(5)),  and  the 
HI  predicates  are  true  in  5i (52(53(5))).  Thus,  these  predicates  are  derivable  from 
PtaRi  together  with  the  HI,  COM  and  GC  predicates. 


TAR-K:  If  testlink(p)  —  (p,5),  then  lstaius{{p,  q))  ^  rejected. 


Proof:  By  TAR-C(d)  and  TAR-C(e). 


•  TAR-L:  If  minlink{f)  =  nil  and  /  is  an  external  link  of  /,  then  lstatus{l)  = 
unknown. 


Proof:  By  TAR-A(a),  if  lstatus{l)  =  branch,  then  I  is  internal.  By  TAR-B,  if 
l3tatus(l)  =  rejected,  then  /  is  internal.  □ 


TAR-M:  If  test(/,  c)  is  in  tarqv,eue({p^q)),  then  /  >  1  and  c  ^  nil. 


Proof:  Let  /  =  fragment{p)  and  g  =  fragment(q). 
1.  test(/,c)  is  in  tarqueue{{p,q)),  by  assumption. 


Case  1:  lstaius{{p,q))  ^  rejected. 

2.  lstatus{{p,  q))  ^  rejected,  by  assumption. 

3.  c  =  core(f)  and  I  =  level{f),  by  Claim  2  and  TAR-E(b). 

4.  tesilink(p)  =  {p,q),  by  Claims  1  and  2  and  TAR-D. 

5.  p  e  iestset{f),  by  Claim  4  and  TAR-C(b). 

6.  minlink{f)  =  nif  by  Claim  5  and  GC-C. 

7.  subtree{f)  ^  {p},  by  Claim  6  and  COM-E. 

8.  core(f)  ^  nil  and  level{f)  A  by  Claim  7  and  COM-F. 

9.  ievel{f)  >  1,  by  Claim  8  and  COM-F. 

10.  c  ^  nil  and  /  >  1,  by  Claims  3,  8  and  9. 


Case  2:  lstatus{{p,  q))  =  rejected. 

11.  lsiatus{{p,q))  =  rejected,  by  as.sumption. 

12.  c  =  core{g)  and  I  —  level(g).,  by  Claim  11  and  TAR-E(c). 

13.  testlink{q)  —  {q,p),  by  Claims  1  and  11  and  TAR-D. 

14.  q  €  iestsetig),  by  Claim  13  and  TAR-C(b). 

15.  minlink(g)  =  nil,  by  Claim  14  and  GC-C. 

16.  subtree{g)  ^  {9},  by  Claim  15  and  COM-E. 
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17.  core(g)  ^  nil  and  level{g)  ^  0,  by  Claim  16  and  COM-F 

18.  level(g)  >  1,  by  Claim  17  and  COM-F. 

19.  c  ^  nil  and  1  >  1,  by  Claims  12,  17  and  18. 


•  TAR-N:  If  test(/,c)  is  in  tarqueue{{q, p))  and  c  =  core{fragment{p)) ,  then 
fragment(p)  =  fragment{q). 


Proof: 


1.  TESt(1,c)  is  in  tarqaeue{{q,p)),  by  assumption. 

2.  c  =  core{fragment(p)),  by  assumption. 

3.  c  ^  nil,  by  Claim  1  and  TAR-M. 

4.  If  lsi,atus{{q,p))  ^  rejected,  then  c  =  (:ore{fragjnent{q)),  by  TAR-E(b). 

5.  If  lstatus({q,p))  ^  rejected,  then  fragmenlfq)  =  fragment{p),  by  Claims  2,  3  and 
4,  and  COM-F. 

6.  If  lstatus{{q,p))  =  rejected,  then  fragTnent(q)  =  fragment{p),  by  TAR-B.  □ 


•  TAR-0:  If  minlink(f)  ^  nil,  then  there  is  no  protocol  message  for  any  link  of 
any  node  in  nodes{f). 


Proof: 

1.  minlink{f)  ^  nil,  by  assumption. 

2.  testset{f)  =  0,  by  Claim  1  and  GC-C. 

3.  testlink{p)  =  nil  for  all  p  €  nodes{f),  by  Claim  2  and  TAR-C(b). 

4.  There  is  no  protocol  message  for  any  link  {p,q),  p  G  nodes{f),  by  Claim  3  and 

TAR-D.  □ 


•  TAR-P:  If  TESt(/,c)  is  in  tarqueue{{q,p)),  c  =  core{fragment{p)),  testlink{p)  = 
{p,q),  and  lstatus({q,p))  ^  rejected,  then  a  test(/',c')  message  is  in  tar- 
queue{{p,q))  and  lstatus{{p,q))  =  unknown. 


Proof: 


1.  test(/,c)  is  in  tarqueue({q,p)),  by  assumption. 

2.  c  =  core{fragTnent{p)),  by  assumption. 

3.  testlink(p)  =  {p,q),  by  assumption. 

4.  lstatus{{q,p))  ^  rejected,  by  assumption. 

5.  fragment{p)  =  fragment{q),  by  Claims  1  and  2  and  TAR-N. 

6.  No  ACCEPT  message  is  in  tarqueue{{q,p)),  by  Claim  5  and  TAR-F. 

7.  The  test(/,  c)  message  in  iarqueue{{q,p))  is  a  protocol  message  for  {q,p)-  by 
Claim  4. 

8.  testlink{q)  =  {q,p),  by  Claim  7  and  TAR-D. 
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9.  lstatus{{q,p))  ^  branch,  by  Claims  3,  8  and  TAR-C(e). 

10.  btatus({q, p))  =  unknown,  by  Claims  4  and  9. 

11.  No  REJECT  message  is  in  tarqueue({q.p)),  by  Claim  10  and  TAR-G. 

12.  There  is  exactly  one  protocol  message  for  {p,q),  by  Claim  3  and  TAR-C(c). 

13.  A  TEST(/',c')  message  is  in  tarqueue({p,q))  and  lstatus({p,  q))  ^  rejected,  by 
Claims  6,  7,  11  and  12. 

14.  lsiatus{{p,  q))  ^  branch,  by  Claims  3  and  8  and  TAR-C(e). 

15.  lstatus({p,q))  =  unknown,  by  Claims  13  and  14. 


Claims  13  and  15  give  the  result. 


□ 


Lemma  17:  TAR  simulates  GC  via  Ads,  Ptar,  and  P^c- 

Proof:  By  inspection,  the  types  of  TAR,  GC,  Ads,  and  Ptar  are  correct.  By 
Corollary  16,  Pqc  ^  predicate  true  in  every  reachable  state  of  COM. 

(1)  Let  s  be  in  start{T AR).  Obviously,  Ptar  Is  true  in  s,  and  S3{s)  is  in 
start{GC). 

(2)  Obviously,  A3(s,7r)\e.Tt(GC)  =  7r\ext(TAR). 

(3)  Let  (s',7r,s)  be  a  step  of  TAR  such  that  Pq^^  is  true  of  5s(s')  and  Ptar 
is  true  of  s' .  Condition  (3a)  is  only  shown  below  for  those  predicates  that  are  not 
obviously  true  in  s. 

i)  TT  is  ChannelSend((p,q),m)  or  ChannelRecv((p,q),m).  A3(s','k)  is 
empty.  (3a)  and  (3b)  are  obviously  true. 

ii)  TT  is  Start(p)  or  InTree(l)  or  NotlnTree(l). 

(3c)  ^3(5',  tt)  =  TT.  If  TT  =  InTree{l},  then  by  TAR-J  and  TAR-A(a),  tt  is 
enabled  in  S3{s').  If  tt  =  NotInTree{l),  then  by  TAR-J  and  TAR-B,  tt  is  enabled  in 
53(5').  Thus,  S3{s')nS3{s)  is  an  execution  fragment  of  GC. 

(3a)  Obviously,  Ptar  is  still  true  in  s. 

iii)  TT  is  SendTest(p).  Let  /  =  fragme.nt{p)  in  s' . 

Case  1:  There  is  a  link  {p.q)  with  lstatus({p,q))  =  unknown  in  s'. 

(3b)  A3(s'.7r)  is  enii-Ty.  It  is  easy  to  see  that  83(3')  =  83(3). 
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(3a)  By  TAR-D  and  precondition  that  testlink{p)  =  nil^  there  is  no  protocol 
message  for  any  link  of  p  in  s' . 

TAR-C(c):  In  s,  there  is  exactly  one  protocol  message  for  {p,q),  namely  the 
TEST  message  in  tarqueue{{p,q)). 

TAR-D:  The  test  message  added  in  s  is  a  protocol  message  for  {p,q)i  and  is 
not  a  protocol  message  for  any  other  link.  By  the  code,  testlink(p)  =  {p,q). 

TAR-E(a):  By  TAR-A(b),  {p,q)  ^  subtree^/).  By  COM-F,  {p,q)  ^  core{f). 


Case  2:  There  is  no  link  (p,  ?)  with  l3tatas({p^q))  =  unknown  in  s'. 

(3c)  .A3(s',7r)  =  Te3iNode{p). 

Claims  about  s' : 

1.  p  G  test3et{f),  by  precondition. 

2.  minlink{f)  =  nil,  by  Claim  1  and  GC-C. 

3.  There  is  no  external  link  of  p,  by  Claim  2,  TAR-L,  and  assumption. 

By  Claims  1  and  3,  TestNode{p)  is  enabled  in  Sz{s'). 

Claims  about  s: 

4.  p  testset{f),  by  code. 

5.  There  is  no  external  link  of  p,  by  Claim  3  and  code. 

6.  accmin{f)  does  not  change,  by  Claim  5. 

By  Claims  4,  5,  and  6,  the  effects  of  TestNode{p)  are  mirrored  in  S^is). 

(3a)  TAR-I:  By  assumption  for  Case  2,  p  has  no  unknown  links  in  s',  and  the 
same  is  true  in  s. 

iv)  TT  is  ReceiveTest((q,p),l,c).  Let  /  =  fragmentip)  in  s'. 

Case  1:  I  <  level{f),  c  =  core(f),  iestlink{p)  =  {p,q),  and  there  is  no  link 
(p,  r),  r  ^  q,  with  lstatus({p,r))  —  unknown  in  s'. 

(3c)  .43(.s'.7r)  =  TestNodeip). 
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1.  c  =  core(f),  by  assumption. 

2.  testlink{p)  =  {p,q),  by  assumption. 

Therp  ’«  no  linV  (p,  ?’).  ^  q  witb  htahi^l  Ip.r))  =  unknown,  by  as.sumption. 

4.  test(/,c)  is  in  tarqueue{{q,p))^  by  preconditions. 

5.  p  G  testset(f),  by  Claim  2  and  TAR-C(b). 

6.  minhnk{f]  —  nil,  by  Claim  5  and  GC-C. 

7.  No  link  (p,  r),  r  ^  is  externaJ,  by  Claims  6  and  3  and  TAR-L. 

8.  (p,q}  is  not  external,  by  Claims  2,  3  and  4  and  TAR-N. 

By  Claims  5,  7  and  8,  Te3tNode{p)  is  enabled  in  .s'. 

Claims  about  s: 

9.  p  ^  tesiset(f),  by  code. 

10.  There  is  no  external  link  of  p,  by  Claims  7  and  8  and  code. 

11.  accmm(/)  does  not  change,  by  Claim  10. 

By  Claims  9,  10  and  11,  the  effects  of  TestNodeyp)  are  miiiored  in  s. 

(3a)  TAR-B:  The  only  case  of  interest  is  when  lstatus{{p,  q))  changes  from 
unknown  in  s'  to  rejected  in  s.  By  TAR-N,  /  =  fragment{q)  in  s'  and  the  same  is 
still  true  in  s.  By  TAR-A(b),  (p,q)  ^  subtree{f)  in  s',  and  the  same  is  still  true  in 
s. 

TAR-D; 

Claims  about  s' : 


1.  TESt(/,c)  is  in  tarqueue{{q,p)),  by  precondition. 

2.  c  =  core{f),  by  assumption. 

3.  testlink{p)  =  {p,q),  by  assumption. 

4.  There  is  exactly  one  protocol  message  for  {p,q},  by  Claim  3  and  TAR-C(c). 

5.  There  is  no  protocol  message  for  any  link  {p,  r),  r  ^  q,  by  Claim  3  and  TAR-D. 


Case  A:  lstatus{{q , p))  -  rejected.  The  TESt(/,c)  message  in  tarqueue{{q,p)) 
is  the  protocol  message  for  {p,q)  in  s'.  Since  it  is  removed  in  s,  by  Claims  4  and 
5  there  is  no  protocol  message  for  any  link  of  p  in  s.  Concerning  q:  by  TAR-K, 
testlink{q)  (ry,p);  thus,  the  predicate  is  still  true  for  q  in  s,  even  if  lstatus{{p,q)) 
is  changed  to  rejected. 

Case  B:  lstatus{{q,p))  ^  rejected. 

G.  A  test(/',c')  is  in  tarqueue{{p,q))  and  lstatu.<i{{p,q))  =  unknown,  by  Claims  1, 
2,  3,  assumptions  for  Case  B.  and  TAR-P. 
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7.  testlink{q)  =  {q,p),  by  Claim  1,  assumption  for  Case  B  and  TAR-D. 

In  s,  the  TEi>T(t’,c')  message  in  tarqueue({p, q)) ,  which  exists  by  Claim  6,  be¬ 
comes  a  protocol  message  for  {q,p),  since  lstatus({p,  q) )  is  changed  to  rejected.  By 
Claim  7,  testlink{q)  has  the  correct  value.  By  Claims  4  and  5,  the  predicate  is 
vacuously  true  for  p  in  s. 

TAR-E(c):  The  only  case  of  interest  is  when  lstatus{{p,q))  goes  from  unknown 
in  s'  to  rejected  in  s,  while  there  is  a  test(/',c')  message  in  tarqueue{{p,q)).  By 
TAR-E(b),  c'  =  core{f)  and  /'  =  level{f)  in  s'.  By  TAR-N,  fragment{q)  =  f.  Thus 
c'  =  core{fragment{q))  and  I'  =  level{fragment{q)). 

TAR-I:  By  the  assumption  for  Case  1  and  code,  p  has  no  unknown  links  in  s. 

TAR-J:  The  test  message  in  tarqueue({q, p))  is  a  protocol  message  for  ei¬ 
ther  {p,q)  or  (q.p).  Without  loss  of  generality,  suppose  for  {p,q).  By  TAR- 
D,  ie3iUnk(p)  =  {p,q),  and  by  TAR-C(b),  p  E  testset[f).  Thus,  by  GC-C, 
minlink(f)  =  nil,  and  by  COM-C  awake  =  true. 


Case  2:  I  >  level{f),  or  c  ^  core{f),  or  iestlink{p)  ^  (p, 9),  or  there  is  a  link 
(p,  r),  r  q,  with  l3tatus{{p,r))  =  unknown  in  s'. 

(3b)  >l3(s',7r)  is  empty.  The  only  variables  that  are  possibly  changed  are 
lstatv.s{{p,q)),  tarqueue's,  and  te3tlink(p),  none  of  which  is  reflected  (directly)  in 
the  state  of  GC.  Thus  accmin{f)  does  not  change  and  S^is')  =  S3{s). 

(3a)  TAR-B:  As  in  Case  1. 

TAR-C(b):  If  testUnk(p)  ^  nil  in  s,  then  by  inspecting  the  code,  the  same  is 
true  in  s'.  So  the  predicate  is  true  m  s  because  it  is  true  in  s' . 

TAR-C(c):  If  /  >  level{f)  in  s' ,  nothing  affecting  the  predicate  changes  in  going 
from  s'  to  s.  Suppose  I  <  level(f)  in  s' . 

Claims  about  s' : 

1.  test(/,c)  is  in  tarqueue{{q,p)),  by  precondition. 

Case  A:  c.  ^  core{  f). 

2.  lstatus{{q,p))  ^  rejected,  by  TAR-E(c). 


Section  4.2.3:  TAR  Simulates  GC 


3.  The  test(/,  c)  message  in  tarqueue({q,  p))  is  a  protocol  message  for  {q,p),  by 
Claim  2. 

The  ACCEPT  message  added  in  s  is  a  protocol  message  for  {q,p).  There  is  no 
change  that  affects  the  truth  of  the  predicate  for  p. 

Case  B:  c  =  core{f). 

Case  B.l:  testlink{p)  ^  {p,q)- 

4.  There  is  no  protocol  message  for  {p,q),  by  TAR-D. 

5.  The  test(/, c)  message  in  tarqueue{{q,p))  is  a  protocol  message  for  {q,p),  by 
Claim  4. 

The  REJECT  message  added  in  s  is  a  protocol  message  for  {q,p).  No  change 
affects  the  truth  of  the  predicate  for  p. 

Case  B.2:  testlink(p)  =  (p,q). 

6.  There  is  a  link  {p,r),  r  ^  q,  with  lstatus({p,r))  —  unknown,  by  assumption  for 
Case  B.2. 

7.  There  is  no  protocol  message  for  (p,r),  by  Claim  6  and  TAR-D. 

Case  B.2.1:  lstatus{{q,p))  ^  rejected. 

8.  There  is  a  test(/',c')  message  in  iarqueue({p,  q))  and  lstatus{{p,  q))  =  unknown, 
by  assumptions  for  Case  B.2.1  and  TAR-P. 

9.  The  TESt(/,  c)  message  in  tarqueue{{q.,p))  is  a  protocol  message  for  {q,p),  by 
assumptions  for  Case  B.2.1. 

The  test(/',  c')  message  of  Claim  8  becomes  a  protocol  message  for  {q,p)  in  s, 
since  lstaius({p,q))  is  changed  to  rejected.  Concerning  p:  testlink{p)  =  (p,r)  in  s, 
and  a  test  message  is  added  to  tarqueue{{p,r))  and  is  the  sole  protocol  message 
for  (p,  r)  by  Claim  7. 

Case  B.2. 2  lstatu3{{q,p))  =  rejected. 

10.  The  test(/,c)  message  in  tarqueue{{q, p))  is  the  protocol  message  for  (p, 9),  by 
assumptions  for  Case  B.2. 2. 

11.  testlink{q)  ^  (9,p),  by  assumption  for  Case  B.2. 2  and  TAR-K. 

The  predicate  is  true  for  p  in  .s  because  the  test(/,  c)  message,  which  was  the 
sole  protocol  message  for  (p,  q)  by  Claim  10,  is  removed  in  .s;  testlink{p)  is  now  (p,  r). 
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and  (p,  r)  has  exactly  one  protocol  message,  by  inspecting  the  code.  No  change  is 
made  that  affects  the  truth  of  the  predicate  for  q,  by  Claim  11. 

TAR-D:  If  I  >  level{f)  in  s',  nothing  affecting  the  predicate  changes  in  going 
from  s'  to  s.  Suppose  /  <  level{f)  in  s'. 

Claims  about  s': 

1.  TEST(/,c)  is  in  tarqueue{{q,p)),  by  precondition. 

Case  A:  c  /  core{  f). 

2.  lstatus{{q, p))  ^  rejected,  by  assumption  for  Case  A  and  TAR-E(c). 

3.  testlink{q)  =  {q-,p)-,  by  Claims  1  aiul  2  and  TAR-D. 

Then  testlink{q)  is  still  {q,  p)  in  s,  and  there  is  an  accept  message  in  tarqueiLe{  (p,  q)).  • 
No  change  affects  the  truth  of  the  predicate  for  p. 

Case  B:  c  =  core{f). 

Case  B.l:  testlink{p)  ^  {p.q)- 

4.  The  test(/,c)  message  in  iaTqueue{{q.,p))  is  a  protocol  message  for  {q,p),  by 
assumptions  for  Case  B.l  and  TAR-D. 

5.  iestlinkiq)  =  (?,p),  by  Claim  4  and  TAR-D. 

Then  in  s,  there  is  a  REJECT  message  in  tarqueue{{p.q))  and  iestlink{q)  is  still 
(</,p).  No  change  affects  the  truth  of  the  predicate  for  p. 

Case  B.2:  tesilink{p)  =  {p.q). 

G.  There  is  a  link  {p, r),  r  ^  q.  with  lstatus({p,r))  =  unknown,  by  assumption  for 
Case  2. 

7.  There  is  exactly  one  protocol  message  for  (p,^},  by  TAR-C(c). 

Case  B.2.1:  lstatus{{q,p))  —  rejected. 

8.  testlink{q)  {q,p),  by  TAR-K. 

No  changes  .affect  the  truth  of  the  predicate  for  q.  For  p:  The  TEST(  /,  c)  message 
in  t(irqueue({q.  p))  is  the  protocol  message  for  {p,q).  It  is  removed  in  .s.  A  TEST 
message  is  added  to  tarqueue{{p,T))  in  .s,  where  lstatus{{p,r))  =  unknown,  and 
t.cstlink{p)  =  (p,  r)  by  code. 
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Case  B.2.2:  lstatus({q,p))  ^  rejected. 

9.  A  TESt(/',c')  message  is  in  tarqueue{{p,q))  and  lstatus({p,  q))  =  unknown,  by 
Clniiu  1.  the  assumption  for  Case  B.2.2  and  TAR-P. 

10.  testlink{q)  =  {q,p),  by  Claim  8  and  TAR-D. 

For  q:  In  s,  since  lstatus({q,p))  is  changed  to  rejected,  the  TEST(/',c')  message 
in  tarqueue({p,q))  (of  Claim  9)  becomes  a  protocol  message  for  {q,p).  This  is  OK 
by  Claim  10. 

For  p:  The  test(/',c')  message  of  Claim  9  is  the  protocol  message  for  {p,q)- 
The  rest  of  the  argument  is  as  in  Case  B.2.1. 


TAR-E:  (a)  Suppose  a  test  message  is  added  to  tarqueue{{p,r)).  As  in  tt  = 
SendTest{p),  Case  1.  (c)  As  in  Case  1. 

TAR-F:  The  only  case  of  interest  is  when  an  ACCEPT  message  is  added  to 
tarqueue{{p,q))  in  s. 

Claims  about  s' : 

1.  test(/,c)  is  in  tarqueue{{q,p)),  by  precondition. 

2.  I  <  level{f),  by  assumption. 

3.  c  ^  core(/),  by  assumption. 

4.  Istatu3{{q,p))  ^  rejected,  by  Claims  1  and  3  and  TAR-E(c). 

5.  c  =  core(fragment(q)),  by  Claims  1,  4  and  TAR-E(b). 

6.  /  =  level{fragment{q)),  by  Claims  1,  4  and  TAR--E(b). 

7.  core(f)  ^  core(fragment(q))^  by  Claims  3  and  5. 

8.  level{f)  <  level{fragment{q)),  by  Claims  2  and  6. 

Claims  7  and  8  are  still  true  in  s. 

TAR-G:  The  only  case  of  interest  is  when  a  REJECT  message  is  added  to 
tarqueue({p,q)). 

Claims  about  s' : 

1.  test(/,c)  is  in  tarqueuc{{q,p)),  by  precondition. 

2.  c  =  core{f),  by  assumption. 

3.  testlinkip)  ^  (p,  <7),  by  assumption. 

4.  If  lstatus({q.  p))  ^  rejected,  then  c  =  core{fragment[q)),  by  Claim  1  and  TAR- 
E(b). 
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5.  If  lstatus{{q,p))  ^  rejected,  then  /  =  fTagmeni{q) ,  by  Claim  4  and  COM-F. 

6.  If  lstatxi3({q,p))  —  rejected,  then  /  =  fragmeni^q),  by  TAR-B. 

7-  /  =  fragment{q),  by  Claims  5  and  6. 

Claim  7  is  still  true  in  s. 

TAR-I:  The  only  case  of  interest  is  when  p  is  removed  from  iestsei{f).  But 
when  that  happens,  there  are  no  unknown  links  of  p. 

TAR-J:  Suppose  lstutu.'<{{p^q))  is  changed  to  rejected.  As  in  Case  1. 

v)  TT  is  ReceiveAccept({q,p)).  Let  /  =  frii.gment(p)  in  s'. 

(3c)  A3(s',7r)  =  TestNode(p). 

Claims  about  s' : 

1.  .A.CCEPT  is  in  iarqueue{{q,p)),  by  precondition. 

2.  fragmeni{q)  ^  /,  by  Claim  1  and  TAR-F. 

3.  level{f)  <  level(fragmeni{q)),  by  Claim  1  and  TAR-F. 

4.  {p,q)  is  an  external  link  of  /,  by  Claim  2. 

5.  testlink{p)  =  {p,q),  by  Claim  1  and  TAR-D. 

6.  p  E  testsetif),  by  Claim  5  and  TAR-C(b). 

7.  minlink{f)  —  nil,  by  Claim  6  and  GC-C. 

S.  l3tatus({p,q))  7^  branch,  by  Claims  4  and  7  and  TAR-L. 

9-  {p,  ?)  is  the  minimum-weight  link  of  p  with  hiatus  unknown,  by  Claims  5  and  8 
and  TAR-C(d). 

10.  (p,  q)  is  the  minimum-weight  external  link  of  p,  by  Claims  7  and  9  and  TAR-L. 
By  Claims  6,  10,  and  3,  TestNode{p)  is  enabled  in  s' . 

Claims  about  s: 

11.  p^  testsetif),  by  code. 

12.  {p.q)  is  the  minimum-weight  external  link  of  p,  by  Claim  10. 

13.  If  wt{p,q)  <  iut{accmin{ f))  in  s',  then  aceminif)  =  ip,q)  in  s,  by  Claims  11 
and  12. 

By  Claims  11  and  13,  the  effects  of  Tesi.Node{p)  are  mirrored  in  s. 
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(3a)  TAR-D:  In  s',  accept  in  tarqueue({q,p))  is  a  protocol  message  for  {p,q)- 
By  TAR-C(c)  and  TAR-D,  it  is  the  only  protocol  message  for  any  link  of  p  in  s'. 
Thus  in  s,  there  is  no  protocol  message  for  an}'  link  of  p,  and  the  pixnlicate  is 
vacuously  true  in  s  for  p.  No  other  node  is  affected. 

TAR-I:  By  Claims  3  and  4,  it  is  OK  to  remove  p  from  testset{f). 

vi)  TT  is  ReceiveReject((q,p)).  Let  /  =  fragment{p)  in  s'. 

Case  1:  There  is  a  link  (p,r),  r  ^  q,  with  lstatus{{p,r))  —  unknown. 

(3b)  >l3(s',7r)  is  empty.  Obviously  <S3(s')  =  <S3(s). 

(3a)  Claims  about  s' : 

1.  REJECT  is  in  tarqueue{{q,p)),  by  assumption. 

2.  The  REJECT  in  tarqueue({q,p))  is  a  protocol  message  for  {p,q),  by  Claim  1. 

3.  testlink[p)  =  {p,q),  by  Claim  2  and  TAR-D. 

4.  There  is  only  one  protocol  message  for  (p, ^),  by  Claim  3  and  TAR-C(c). 

5.  There  is  no  protocol  message  for  any  other  link  of  p,  by  Claim  3  and  TAR-D. 

6.  p  G  testset{f),  by  Claim  3  and  TAR-C(b). 

TAR-B:  Suppose  lstaius({p,q))  goes  from  unknown  in  s'  to  rejected  in  s.  By 
TAR-G,  /  =  fragment{q)  in  s'.  By  TAR-A(b),  (p,  5)  ^  subtree{f)  in  s'.  Both  facts 
are  still  true  in  s. 

TAR-C(b):  By  Claim  6. 

TAR-C(c):  In  s,  testlink{p)  =  (p,r),  and  the  test  message  is  the  sole  protocol 
message  for  (p,  r)  by  Claim  5. 

TAR-D:  In  s,  the  reject  message  is  removed  and  a  TEST  message  is  added  to 
tarqueue({p,r})  with  lsiaius{{p,r))  =  unknown.  So  there  is  a  protocol  message  for 
(p,  r)  and  no  other  link  of  p  by  Claims  4  and  5.  By  code,  testlink{p)  —  {p,r). 

TAR-E(a):  Suppose  a  test  messge  is  added  to  some  tarqueue{{p,r)).  As  in 
TT  =  SendTestip),  Case  1. 

TAR.-E(c):  The  only  case  of  interest  is  when  lstatus{{p,q))  goes  from  un¬ 
known  in  s'  to  rejected  in  .s.  But  by  Claims  2  and  4,  there  is  no  TEST  message 
in  iarqueue.({p.q))  in  s'  if  istatus{{p,q))  =  unknown. 
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TAR-I:  By  Claim  6,  the  predicate  is  vacuously  true. 

TAR-J:  Suppo.se  Istatusi {p,  q))  is  changed  from  unknown  to  rejected.  Similar 
to  TT  =  ReceiveTe3t({q,p)^l,c}^  Case  1,  with  REJECT  being  the  protocol  message  for 

Case  2:  There  is  no  link  {p,r),  r  7^  q,  with  lstatus({p,r))  =  unknown. 

(3c)  Aiis'.ir)  —  TestNnde{p). 

Claims  about  s' : 

1.  REJECT  is  in  taTqu€ue{{q,p)),  by  precondition. 

2.  testlink{p)  —  {p^q),  by  Claim  1  and  TAR-D. 

3.  p  E  testset{f)^  by  Claim  2  and  TAR-C(b) 

4.  minlink{f)  =  nil,  by  Claim  3  and  GC-C. 

5.  fragment{q)  =  /,  by  Claim  1  and  TAR-G. 

6.  (p,  q)  is  not  external,  by  Claim  5. 

7.  There  is  no  external  link  (p,  r),  r  ^  q,  of  p,  by  Claim  4,  TAR-L,  and  assumption 
for  Case  2. 

By  Claims  3,  6  and  7,  TestNode{p)  is  enabled  in  s' . 

Claims  about  s: 

8.  p  ^  testset(/),  by  code. 

9.  There  is  no  external  link  of  p,  by  Claims  6  and  7  and  code. 

10.  accmin{f)  does  not  change,  by  Claim  9. 

By  Claims  8,  9  and  10,  the  effects  of  TestNodc{p)  are  mirrored  in  s. 


(3a)  TAR-B:  Same  as  Case  1. 

TAR-D:  In  s,  testlink{p)  =  nil.  We  must  show  there  is  no  protocol  message 
for  any  link  of  p.  In  .s',  the  reject  message  in  tarquerie{{q,p))  is  the  sole  protocol 
message  for  any  link  of  p,  as  in  Case  1.  The  REJEC  T  message  is  removed  in  s  and 
nf)  protocol  nu'ssage  is  added. 
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TAR-I:  By  assumption  for  Case  2  and  code,  there  are  no  unknown  links  of  p 

in  s. 

TAR-J:  As  in  Case  1. 

vii)  TT  is  ComputeMin(f). 

(3c)  A3{s\tt)  =  TT.  Since  accmin{f)  =  nil  in  s  because  minlink{f)  =  nil  in  s, 
it  is  easy  to  see  that  tt  is  enabled  in  <S’3(s')  and  that  its  effects  are  mirrored  in  <S3(s). 

(3a)  TAR-H:  By  GC-A,  accm.in{f)  —  I  is  an  external  link  of  /  in  s' .  Since 
minlink{f)  =  nil  in  s',  lstatus{l)  ^  branch  by  TAR-A(a).  Also,  by  COM-B, 
Tooi.changed{f)  =  false  in  s'.  Thus  in  s,  rootchanged(f)  =  false  and  lstaius{min- 
link{f))  ^  branch. 

viii)  TT  is  ChangeRoot(f). 

(3c)  >13(3', tt)  =  TT.  It  is  easy  to  see  that  tt  is  enabled  in  53(s')  and  that  its 
effects  are  mirrored  in  S3(s). 

(3a)  Only  TAR-A(a),  TAR-H  and  TAR-J  are  affected.  Obviously  TAR-A(a) 
and  TAR-H  are  still  true  in  s.  For  TAR-J:  by  precondition  awake  ~  true  in  s',  and 
is  still  true  in  s. 

ix)  TT  is  Merge(f,g). 

(3c)  .A3(s',  tt)  =  TT.  After  noting  that  accm.in{h)  =  nil  in  s  because  testset{h)  ~ 
nodes{h)  in  s,  it  is  easy  to  see  that  tt  is  enabled  in  Si{s')  and  that  its  effects  are 
mirrored  in  «S3(s). 

(3a)  TAR-A(b):  The  predicate  is  true  for  h  by  TAR-H. 

TAR-B:  The  predicate  is  true  for  h  by  TAR-H. 

TAR-C:  By  GC-C,  no  r  in  node.s(f)  or  nodes{g)  is  in  testset{f)  or  testset{g)  in 
s'.  By  TAR-C(b),  testlink{r)  =  nil  for  all  such  r.  So  the  predicate  is  vacuously  true 
in  h. 

TAR-E(a):  By  TAR-O,  there  is  no  test  message  in  tarqueue{{p,q))  or  in 
tarqueue({q,p)),  where  {p,q)  =  minlink{f),  in  s'.  Since  {p,q)  =  core{h)  in  s,  done. 

TAR-E(b):  By  TAR-0,  there  is  no  test(/,  c)  message  in  tarquexLe{{p,q))  with 
lstatus{{p,q))  ^  rejected  in  .s',  for  any  p  in  nadcsi f)  or  nodes{g).  Thus,  the  same  is 
true  in  s  for  any  p  in  nodes{li  ).  and  the  predicate  is  vacuously  true  in  .s  for  Ji. 
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TAR-E(c):  If  test(/, c)  is  in  tarqueue{{p, q})  and  lstatus{{p,q))  =  rejected  in 
s',  then  it  is  a  protocol  message  for  (g,p)  in  s'.  By  TAR-0,  fragmeni{q)  is  neither 
/  nor  in  s'.  So  the  predicate  is  still  true  in  s. 

TAR-F:  If  ACCEPT  is  in  tarqueue{{p,q))  in  s',  it  is  a  protocol  message  for  {q,p) 
in  s' .  By  TAR-0,  fragmeni{q)  is  neither  /  nor  g  in  s' .  If  fragmeni{p)  is  neither 
/  nor  g  in  s' ,  then  the  predicate  is  still  true  in  s.  Without  loss  of  generality, 
suppose  fragment{p)  =  /  in  s'.  By  TAR-F,  level{f)  >  level{fragment{q))  in  s'. 
Then  fragment{p)  =  h  ^  fragment(q)  in  s,  and  level{h)  (in  s)  >  levc!(f)  (in  s')  > 
level{fragment{q))  (in  s'  and  s). 

TAR-H:  By  code,  rootchanged{h)  =  false.  Since  minlink[h)  =  nil  by  code, 
hiatus  {minlink{f))  ^  branch. 

TAR-I:  For  nodes  in  h,  the  predicate  is  vacuously  true  since  testsei{h)  = 
nodes{h).  For  nodes  not  in  h,  the  predicate  is  still  true  since  the  level  of  every 
node  formerly  in  nodes{f)  or  nodes{g)  is  increased. 

x)  TT  is  Absorb(f,g). 

(3c)  ^3 (.s',  tt)  =  TT.  It  is  easy  to  see  that  tt  is  enabled  in  53 (s').  Below  we  show 
that  accmin{f)  is  the  same  in  s  as  in  s',  which  together  with  inspecting  the  code, 
shows  that  the  effects  of  tt  are  mirrored  in  Sz(s). 

Let  {q,p)  =  Tnmlink{g).  If  p  G  iestset{f)  in  s',  then  every  node  in  nodes{g)  in 
s'  is  added  to  testset{f)  in  s.  No  change  is  made  to  any  of  the  criteria  for  defining 
accmin{f). 

Suppose  p  ^  te3tset{f)  in  s'.  If  minlink^f)  ^  nil  in  s',  then  the  same  is  true  in 
s,  and  accmin{f)  =  nil  in  s'  and  s.  Suppose  minlink{f)  =  nil  in  s'. 

Claims  about  s'  : 

1.  level{f)  <  leveling),  by  precondition. 

2.  p  G  nodf.s{f),  by  precondition. 

3.  p  ^  testset{f),  by  assumption. 

4.  niinlink(f)  =  nil,  by  assumption. 

5.  <1  G  node.s(g),  by  COM- A. 

G-  ./  ^  by  Claim  1. 

7.  accmin{  f)  =  {r,t),  for  some  r  and  t,  by  Claims  2  through  G. 

8.  fragment{t)  ^  g,  by  Claims  1  and  7  and  GC-A. 
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9.  (r,<)  /  (p,  5),  by  Claims  5  and  8. 

10.  tot(r,t)  <  wt{p,q)^  by  Claims  2,  3,  5,  6,  7,  and  9  and  GC-A. 

11.  u><(p,  <7)  <  iut(u,v)  for  any  external  link  {n,  v)  of  <7,  by  COM- A. 

12.  wt{r,t)  <  wt{u,v)  for  any  external  link  (u,u)  of  g,  by  Claims  10  and  11. 

By  Claims  7,  8  and  12,  accmin(f)  =  {r,t)  in  s. 


(3a)  TAR-A(b):  The  predicate  is  true  in  s  for  /  by  TAR-H. 

TAR-B:  The  predicate  is  true  in  s  for  /  by  TAR-H. 

TAR-C(b):  By  GC-C,  since  minlinkig)  ^  nil,  testsp.t{g)  =  0  in  s'.  By  TAR- 
C(b),  testlink{p)  —  nil  in  s'  for  all  p  G  nodes{g).  There  is  no  change  for  p  G  nodes{f) 
in  s'  in  going  from  s'  to  s.  Thus  the  predicate  is  true  in  s  for  /. 

TAR-C(e):  Suppose  {q,p)  =  minlink{g)  in  s'  and  lstatus({p,  q))  becomes  branch 
in  s.  By  TAR-H,  lstatus{{q,p))  =  branch  in  s'.  As  in  TAR-C(b),  tesilink{q)  ^  {q,p), 
so  the  predicate  is  still  true  in  s. 

TAR-E(a):  OK  because  core{f)  does  not  change. 

TAR-E(b):  Let  {q,p)  =  minlink{g)  in  s'.  If  we  can  show  lstatus{{p,q))  ^ 
rejected  in  s',  we’d  be  done.  If  lstatu3({p,q))  —  rejected  in  s',  then  fragment{p)  — 
fragment{q).  This  contradicts  level{g)  <  level{  f),  which  implies  that  g  ^  f. 

TAR-E(c):  Suppose  TEST(/,c)  is  in  iarqueue{{p,  q))  and  lstatus{{p,q))  =  re¬ 
jected  in  s',  for  some  link  {p,q)  in  L{G).  This  is  a  protocol  message  for  {q,p). 
By  TAR-0,  fragment{q)  ^  g  in  s' .  Thus  fragment{q)  is  the  same  in  s'  and  s,  and 
c  =  core{fragment{q ))  and  /  =  level{fragme.nt{q))  in  s. 

TAR-F:  Suppose  accept  is  in  i.arqueue{{p,q))  in  s' ,  for  some  link  (p,  q)  in  L{G). 
This  is  a  protocol  message  for  {q,p).  By  TAR-0,  fragme.nt{q)  ^  g  in  s'.  By  TAR-F, 
fragment{p)  ^  fragment{q)  in  .s'.  By  preconditions,  level(g)  <  level[f),  so  it  cannot 
be  the  case  that  fragment{p)  =  g  and  fragmeni(q)  =  /. 

Suppose  fragmeniip)  =  g-  Since  lcvel{fragmcni(p))  in  ,s  is  greater  than  it  is  in 
.s',  and  since  fragment{q)  ^  /  in  s',  the  predicate  is  still  true  in  .s. 

Suppose  fragmentiq)  =  f.  Since  fragmcniiq)  is  the  same  in  ,s  as  in  s' ,  and  since 
fragmeniip)  ^  9  in  »' ■  th<-  predicate  is  still  true'  in  .s. 
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If  fragment{p)  ^  g  and  fragment{q)  ^  /  in  s',  the  predicate  is  obviously  still 
true  in  s. 

TAR-G:  Suppose  reject  is  in  taTqueue({p,q))  in  s',  for  some  link  {p,  q)  in  L{G). 
This  is  a  protocol  message  for  (^,p).  By  TAR-0,  fragTnent{q)  ^  g  in  s'.  By  TAR-G, 
fragment{p)  ^  g  in  s',  since  otherwise  fragment{p)  =  fragment^q)  =  gr  in  s'.  So  the 
predicate  is  still  true  in  s. 

TAR-H:  Let  {q,p)  =  minlink{g).  Since  level(f)  >  level(g)  by  COM-A,  {p,q}  ^ 
minlink(g).  So  it  is  OK  to  set  lstatus( {p,q))  to  branch. 

TAR-I:  First  note  that  if  there  is  some  node  r  G  nodcs{f)  —  testset(f)  in  s' 
with  an  unknown  link,  then  by  TAR-I  there  is  an  external  link  (i,u)  of  /,  and 
level(f)  <  level(fragment(u)).  Thus  fragment{u)  ^  g,  so  in  s,  the  predicate  is  still 
true  for  nodes  that  were  in  nodes{f)  in  s'. 

To  show  that  the  predicate  is  true  in  s  for  nodes  that  were  in  nodes{g)  in  s';  we 
only  need  to  consider  the  case  when  p  ^  testset(f)  in  s',  i.e.,  when  nodes  formerly  in 
node3{g)  are  not  added  to  tesiset(f).  Since  level{f)  >  level{g),  minlink{f)  ^  {p,q), 
by  COM-A.  Thus,  by  TAR-A(a)  and  TAR-B,  lstatus{{p,  q) )  =  unknown,  and  the 
argument  in  the  previous  paragraph  holds. 

To  show  that  the  predicate  is  true  in  s  for  nodes  that  are  not  in  either  nodes(f) 
or  nodes{g)  in  s',  it  is  enough  to  note  that  the  only  relevant  change  is  that  the  level 
of  every  node  formerly  in  nodts{g)  is  increased.  □ 

Let  Ptar  —  (Pgc  °  S3)  a  Ptar- 
Corollary  18:  Ptar  every  reachable  state  of  T AR. 


Proof:  By  Lemmas  1  and  17. 


□ 
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4.2.4  DC  Simulates  GC 

This  automaton  focuses  on  how  the  nodes  of  a  fragment  cooperate  to  find  the 
minimum-weight  external  link  of  the  fragment  in  a  distributed  fashion.  The  variable 
Tninlink{f)  is  now  a  derived  variable,  depending  on  variables  local  to  each  node, 
and  the  contents  of  message  queues.  There  is  no  action  ComputeMin{f).  The  two 
nodes  adjacent  to  the  core  send  out  FIND  messages  over  the  core.  These  messages 
are  propagated  throughout  the  fragment.  When  a  node  p  receives  a  find  message, 
it  changes  the  variable  dcstatus{p)  from  unfind  to  find,  relays  find  messages,  and 
records  the  link  from  which  the  find  was  received  as  its  inbranch{p).  Then  the  node 
atomically  finds  its  local  minimum-weight  external  link  using  action  TestNode{p)  as 
in  GC,  and  waits  to  receive  REPORT(t(;)  messages  from  all  its  “children”  (the  nodes 
to  which  it  sent  find).  The  variable  findcouni(p)  records  how  many  children  have 
not  yet  reported.  Then  p  takes  the  minimum  over  all  the  weights  w  reported  by  its 
children  and  the  weight  of  its  own  local  minimum-weight  external  link  and  sends 
that  weight  to  its  “parent”  in  a  report  message,  along  inbranch{p);  the  weight  and 
the  link  associated  with  this  minimum  are  recorded  as  bestwi(p)  and  bestlink{p), 
and  dcsiatus{p)  is  changed  back  to  unfind.  When  a  node  adjacent  to  the  core  has 
heard  from  all  its  children,  it  sends  a  report  over  the  core.  This  message  is  not 
processed  by  the  recipient  until  its  dcstatus  is  set  back  to  unfind.  When  a  node  p 
adjacent  to  the  core  receives  a  REPORT(t<;)  over  the  core  with  w  >  besiwt{p),  then 
minlink{f)  becomes  defined,  and  is  the  link  found  by  following  bestlinks  from  p. 

The  ChangeRoot{f)  action  is  the  same  as  in  GC.  When  two  fragments  merge,  a 
FIND  message  is  added  to  one  link  of  the  new  core.  A  new  action,  AfterMerge{p,q), 
adds  a  find  message  to  the  other  link  of  the  new  core.  When  an  Absorb{f,g) 
action  occurs,  a  find  message  is  directed  toward  the  old  g  along  the  reverse  link  of 
minlink{g)  if  and  only  if  the  target  of  minlink(g)  is  in  testset{f)  and  its  dcstatus  is 
find. 


This  algorithm  (as  well  as  the  original  one)  correctly  handles  “leftover”  report 
messages.  Recall  that  a  REPORT  message  is  sent  in  both  directions  over  the  core 
(p,q)  of  a  fragment  /.  Suppose  the  root  p  receives  its  REPORT  message  first,  and 
the  other  REPORT  message,  the  “leftover”  one.  which  is  headed  toward  q,  remains 
in  the  cpieue  until  after  /  merges  or  is  absorbed.  Since  the  queues  ai'e  FIFO  relative 
to  REPORT  and  find  messages,  the  state  of  q  n-iuains  such  that  when  the  leftover 
REPORT  message  is  received,  the  only  change  is  the  removal  of  the  message. 

Define  automaton  DC  (for  “Distributc'd  ComputeMin” )  as  follows. 
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The  state  consists  of  a  set  fragments.  Each  element  /  of  the  set  is  called  a 
fragment,  and  has  the  following  components: 

•  subtree{f),  a  subgraph  of  G\ 

•  core{f),  an  edge  of  G  or  nil, 

•  levelff),  a  nonnegative  integer; 

•  rootchanged(f),  a  Boolean;  and 

•  testset{f),  a  subset  of  V{G). 

For  each  node  p,  there  are  the  following  variables: 

•  dcstatus{p),  either  find  or  unfind; 

•  findcount{p) ,  a  nonnegative  integer; 

•  bestlink{p),  a  link  of  G  or  nil\ 

•  bestwt(p],  a  weight  or  oo;  and 

•  inbranch{p),  a  link  of  G  or  nil. 

For  each  link  {p,q),  there  are  associated  three  variables: 

•  dcqueuep{{p,  g)),  a  FIFO  queue  of  messages  from  p  to  q  waiting  at  p  to  be  sent; 

•  dcqueuepq{{p,  q)),  a  FIFO  queue  of  messages  from  p  to  q  that  are  in  the  com¬ 
munication  channel;  and 

•  dcqueueq{{p,q)),  a  FIFO  queue  of  messages  from  p  to  g  weiiting  at  q  to  be 
processed. 

The  set  of  possible  messages  M  is  {report(u;)  :  w  a  weight  or  00}  U  {find}. 

The  state  also  contains  Boolean  variables,  answered{l) ,  one  for  each  I  €  L{G), 
and  Boolean  variable  awake. 

In  the  start  state  of  DC,  fragments  has  one  element  for  each  node  in  V'(G);  for 
fragment  /  corresponding  to  node  p,  subtree{f)  =  {p},  core(f)  =  nil,  level(f)  =  0, 
rootchanged.{f)  is  false,  and  tcstset{f)  is  empty.  For  each  p,  dcstatus{p)  =  unfind, 
findcount{p)  =  0,  bcstlink(p)  is  the  minimum-weight  external  link  of  p,  bestwt{p)  is 
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the  weight  of  bestlink{p),  and  inhranch{p)  =  7nl.  The  message  queues  are  empty. 
Each  ans‘wered{l)  is  false  and  awake  is  false. 

The  derived  vaiiable  dcqueue{{p,q))  is  defined  to  be  dcque7ic^{{2),  q))  1|  dc- 
queuepgdp,  q))  |1  dcqueuepi{p,q)). 

A  REPORt(u>)  message  is  headed  toward  p  if  either  it  is  in  dcqueue{(q,p))  for 
some  q,  or  it  is  in  some  dcqueue{{q,r)),  where  q  €  subtTee{r)  and  r  £  3ubiree(p).  A 
FIND  message  is  headed  toward  p  if  it  is  in  some  dcqueue({q,  ;■))  and  p  is  in  subtrec{r). 
A  mes.sage  is  said  to  be  in  suhtree{f)  if  it  is  in  some  dcqiieue{{q^p))  and  p  €  node3{f). 

Now  minlink{f)  is  a  derived  varialjle,  defined  as  follows.  If  nodes{f)  =  {p} ,  then 
minlink{f)  is  the  minimum-weight  external  link  of  p.  Suppose  nodes{f)  contains 
more  than  one  node.  If  /  has  an  external  link,  if  dcstatus(p)  =  unfind  for  all 
p  G  nodes{J),  if  no  find  message  is  in  subtrec{f),  and  if  no  report  message  is 
headed  toward  mw-root{f),  then  rainlinld^f)  is  the  first  external  link  reached  by 
starting  at  mw-root{f)  and  following  bestlinks;  otherwise,  minlink{f)  =  nil. 

Also  accTnin{f)  is  a  derived  variable,  defined  as  in  TAR  as  follows.  If 
minlinkij)  jfe  nil ,  or  if  there  is  no  external  link  of  any  p  G  nodes(f)  —  testaetif), 
then  accmin{f)  =  nil.  Otherwise,  accmin{f)  is  the  minimum-weight  external  link 
of  all  p  G  nodes^f)  —  test3et{f). 

Note  below  that  ReceiveFind({q, p})  is  only  enabled  if  AfterMerge{p,q)  is  not 
enabled;  without  this  precondition  on  Receivr.Find.,  p  could  receive  the  FIND  before 
sending  a  find  to  q,  and  thus  q's  side  of  the  subtree  would  not  participate  in  the 
.search. 

Input  actions: 

•  Startip),  p  G  V{G) 

Effects: 

awake  true 

Output  actions: 

•  InTree{{p,q)),  {p,q)  G  L{G) 

Preconditions: 
awake  —  true 

{P'Q)  ^  subtree{frafpnent{p))  or  {p,  </)  =  Tiiinlink(fraqment(p)) 
anawered[[p,q))  =  false 
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Effects: 

answered({p,q))  :=  true 

•  NotInTree{{p,q)),  {p,q)  G  L{G) 

Preconditions: 

fragmeni{p)  =  fragment{q)  and  {p,q)  ^  subtree{fragment{p)) 
answered{{p,q))  =  faJse 
Effects: 

answered{{p,q))  true 
Internal  actions: 

•  Channels end{{p,q),m),  {p,q)  G  L{G),  m  ^  M 

Preconditions: 

m  at  head  of  dcqueuep{{p,q)) 

Effects: 

deque\ie(dcqueuep{{p,  q))) 
enqueue(m,  dequeue pg{{p,q))) 

•  ChannelRecv{{p,q),m),  {p,q)  G  i(G),  m  G  M 

Preconditions: 

m  at  head  of  dcqueuepg{{p,q)) 

Effects: 

dequeue(  dcqueuep^{{p,  q))) 
enqueue(m,  dequeue ^{{p,  q))) 

•  TestNode{p),  p  G  V{G) 

Preconditions: 

—  let  /  =  fragment{p)  — 
p  G  testset{f) 

if  minimum-weight  external  link  of  p,  exists 

then  level[f)  <  level{fragmtnt(q)) 
destatus{p)  ~  find 
Effects: 

testset{f)  :=  testset(f)  —  {p} 

if  the  minimum-weight  external  link  of  p,  exists  then 

if  u'tip.q)  <  bcHwt{p)  then  [ 
bcsthnk(p)  (p,  q) 
bestv)t(p)  :=  wt{p,q)  ] 
exc'cute  procedure  Report{p) 
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li.eceiveReport{{q,p),w),  {q,p)  G  L{G) 

Preconditions: 

RBPORT(zy)  message  at  head  of  dcqueuep({q,p)) 

Effects: 

dequeue(  dequeue  p{  {q,p))) 
if  (p,  q)  ^  inbranch{p)  then  [ 
findcount{p)  :=  findcount{p)  —  1 
if  w  <  bestwi{p)  then  [ 
besiwt^p)  :=  w 
bestlink{p)  {p,q)  ] 
execute  procedure  Repori{p)  ] 
else 

if  dcstatus{p)  —  find  then  enq\ieue{KV:POKT{w),  dequeue ^{{q, p))) 

ReeeiveFind({q,  p)),  {q.p)  G  L(G) 

Preconditions: 

FIND  message  at  head  of  dcqueuep{{q, p)) 

AfterMerge{p,q)  not  enabled 
Effects: 

dequeue(  dequeuCpi  {q,  p))) 
dcstatus(p)  :=  find 
inbraneh{p)  :=  {p,q) 
bestlink{p)  :=  nil 
bestwiip)  •—  oo 

—  let  5  =  {{p,r)  :  {p,r)  G  3ubtree{fragment{p)),r  ^  q}  — 
findcount(p)  |5| 

enqueue(FiND,  dcqueuCpil))  for  all  /  G  5 

Procedure  Report{p),  p  G  V{G) 

if  findeount{p)  =  0  and  p  ^  testset{fragment{p))  then  [ 
destatusip)  :=  unfind 

enqueue(REPORT(6e.3!(w<(p)),  dequeue p{inhraneh{p)))  ] 

ChangeRooi{f),  f  G  fragments 
Preconditions: 
awake  =  true 
rootehanged{f)  =  false 
minlink{f)  ^  nil 
Effects: 
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rootchanged{f)  :=  true 

Merge{f,g),  f,g  e  fragments 
Preconditions: 

f^g 

rootchanged{f)  =  rootchanged{g)  =  true 
minedge{f)  =  minedge{g) 

Effects: 

add  a  new  element  h  to  fragments 
suhtree{h)  ;=  subtree{f)  U  subtree(g)  U  minedge(f) 
core(h)  :=  minedge(f) 
level(h)  :=  level(f)  +  1 
rootchanged{h)  false 
testset(h)  :=  nodes(h) 

—  let  (p,  9)  =  minlink(f)  — 
enqueue(FlND,  dequeue q))) 
delete  /  and  g  from  fragments 

AfterMerge{p,q),  p,q  G  V{G) 

Preconditions; 

{p,q)  =  core(fragment{p)) 

FIND  message  in  dcqueue{{q,p)) 
no  FIND  message  in  dcqueue({p,q)) 
dcstatus(q)  =  unfind 
no  REPORT  message  in  dcqueue{{q,p)) 

Effects: 

enqueue(FlND,  dequeue p{{p,  q))) 

•  Absorb{f,g),  f,g  E  fragments 
Preconditions: 

rootehanged{(j)  =  true 
level(g)  <  levcl{f) 

—  let  {qip)  =  minlink{g)  - 
fragment{p)  —  f 

Effects: 

subtree(f)  :=  subtreeff)  U  subtree{g)  U  minedge{g) 
if  p  G  testset(f)  then  [ 

testset(f)  testset(f)Unfldes(g) 
if  dcstatus( p)  =  find  then  [ 
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enqueue(FlND,  dcqueuep({p,  q))) 
findcount{p)  :=  findcount{p)  +  1  ]  ] 
delete  g  from  fragments 

Define  the  following  predicates  on  states{DC),  using  these  definitions. 

A  child  5  of  p  is  completed  if  no  node  in  suhtree{q)  is  in  tests et(fragment{p)) , 
and  no  REPORT  is  headed  toward  p  in  subtree{q)  or  in  dcqueue{(q,p)).  Node  p  is  up- 
to-date  if  either  subtree{fragment(p))  =  {p},  or  the  following  two  conditions  are  met: 
(1)  following  inbranches  from  p  leads  along  edges  of  subtree{fragment(p))  toward  and 
over  core(f),  and  (2)  if  p  G  testset(fragment(p)),  then  dcstatus{p)  =  find.  Given 
node  p,  define  Cp  to  be  the  set  {r  :  either  r  =  p  and  p  ^  tests et{fragment{p)) ,  or  r 
is  in  subtree{q)  for  some  completed  child  q  of  p}. 

All  free  variables  are  universally  quantified,  except  that  /  =  fragmcntl p)^  in 
these  predicates.  (The  fact  that  an  old  report  message,  in  a  link  that  was  formerly 
the  core  of  a  fragment,  can  remain  even  after  that  fragment  has  merged  or  been 
absorbed,  complicated  the  statement  of  some  of  the  predicates.) 

•  DC-A:  If  REPORT(ti;)  is  in  dcqueue({q,p))  and  inbranch{p)  ^  (p,  9),  then 

(a)  if  (p,  9)  =  core(f),  then  a  find  message  is  ahead  of  the  report  in 
dcquetie{{q,p)); 

(b)  {q,p)  =  inbranch{q)\ 

(c)  bestwt{q)  =  w; 

(d)  dcstatus(q)  =  unfind; 

(e)  every  child  of  q  is  completed; 

(f)  q  ^  testset{f)\  and 

(g)  if  (p,  q)  ^  core{f),  then  dcstatus{p)  =  find,  and  q  is  a  child  of  p. 

•  DC-B:  If  REPORT(te)  is  in  dcqueue{{q,p))  and  inbranch{p)  =  {p,q),  then 

(a)  either  (p,  q)  ~  core{f)  or  p  is  a  child  of  q-,  and 

(b)  if  {p,q}  ^  core{f),  then  dcstatus{p)  =  unfind. 

•  DC-C:  If  REPORT(u:)  is  in  dcqueae({q,p))  and  (p,q)  =  core{f),  then 

(a)  ^  is  up-to-date; 

(!:>)  dcstatus(q)  =  unfind;  and 

(c)  hestwt{q)  =  iv. 

•  DC-D:  If  FIND  is  in  dcqii.euc{{q,p)),  then 

(a)  if  (p.  q)  ^  core(f  )  then  p  is  a  child  of  q  and  dcstatus{q)  =  find; 
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(b)  dcstatus{p)  =  unfind;  and 

(c)  every  node  in  subtree{p)  is  in  iesUet{f). 


•  DC-E:  If  p  G  testset{f),  then  a  find  message  is  headed  toward  p.  or  dcstaUis{ p) 
=  find,  or  AfterMerge{q,r)  is  enabled,  where  p  G  subtree{r). 


•  DC-F:  If  {p,q}  —  core(f)  and  inbranch{q)  ^  {q,p),  then  either  a  FIND  is  in 
dcqueue{{p,q)),  or  AfterMerge{p,  q)  is  enabled. 


•  DC-G:  If  AfterMerge{p,q)  is  enabled,  then  every  node  in  subtrce{q)  is  in 
testset{f). 


•  DC-H:  If  dcstatus{p)  =  unfind,  then 

(a)  dcstatus{q)  =  unfind  for  all  q  G  .‘<uhiree{p}\  and 

(b)  findcount{p)  =  0. 


•  DC-I:  If  dcsiatus{p)  =  find,  then 

(a)  p  is  up-to-date;  and 

(b)  either  a  report  message  is  in  subtree{p)  headed  toward  p,  or  some  q  G 
subtree(p)  is  in  tcstsei{  f  ). 


•  DC-J:  If  dcstatus(p)  =  find  and  core{f)  =  (p,  9),  then  a  FIND  message  is  in 
dcqueue{{p,q)).  or  dcstahi.s{q)  =  find,  or  a  REPORT  message  is  in  dcqucuc{{q.  p)). 


•  DC-K:  If  p  is  up-to-date,  then 

(a)  jindcount{p)  is  the  number  of  children  of  p  that  are  not  completed; 

(b)  if  besilink[p)  —  nil.  then  besi.u>t{p)  —  oc.  and  there  is  no  external  link  of 


inv  node  in  C,, 


(c)  if  bestlink{p)  ^  nil,  then  following  bestlinks  from  p  leads  along  edges  in 
.‘iubtrce[f)  to  the  minimum-weight  external  link  I  of  all  nodes  in  Cj/.  v't[l)  = 
htstwt{p),  and  level{frag7nent{target{l)))  >  lcvel{f). 


DC-L:  If  inhranch(p)  ^  nil,  then  inhranch{p)  —  {p,q)  for  some  q,  and  [p,q)  G 
.m.htrec{f). 


•  DC-M:  findcoit.nt{p)  >  0. 


•  DC-N;  If  7nv’-rninnod(:{f)  is  not  in  then  m.v!-minnode.{  f)  is  up-to- 

date. 


•  DC-O:  TIk'  only  possible  values  of  dcqneu(’.({p,q))  are  empty,  or  MND,  or 
REPonr.  or  find  followed  by  report  (01  ;  if  {p,q]  =  core(j)),  or  report 
followed  by  FIND  (only  if  (j>.q)  ^  rorclf)). 
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Let  Pdc  be  the  conjunction  of  DC-A  through  DC-0. 

In  order  to  show  that  DC  simulates  GC.  we  define  an  abstraction  mapping 
.VI4  =  (54M4)  bom  DC  to  GC. 

Define  the  function  54  from  states(DC)  to  states{GC)  by  ignoring  the  message 
queues,  and  the  variables  dcstatus,  findcount,  bestlink,  bestwt.  and  inbranch.  The 
derived  variables  minlink  and  acemin  of  DC  map  to  the  (non-derived)  variables 
minlink  and  acemin  of  GC. 

Define  the  function  A4  as  follows.  Let  s  be  a  state  of  DC  and  tt  an  action  of 
DC  enabled  in  s.  The  GC  action  ComputeMin{f)  is  simulated  in  DC  when  a  node 
adjacent  to  the  core,  having  already  heard  from  all  its  children,  receives  a  report 
message  over  the  core  with  a  weight  larger  than  its  own  bestwt.  Then  the  node 
knows  that  the  minimum-weight  external  link  of  the  fragment  is  on  its  own  side  of 
the  subtree. 

•  Suppose  TT  —  ReceiveReport((q, p) ,w).  If  (p,  (?)  =  core{f)  and  dcstaius(p)  =  un¬ 
find  and  ic  >  be$twt{p),  then  =  ComputeMin{fragTnent{p)).  Otherwise 

>^4(5, 7r)  is  empty. 

•  If  TT  =  ChannelSend((q,p),m),  Channe!Recv((q,p},m),  ReceiveFind({q,p})  or 

AfterMerge{p,q),  then  XtC'SiTr)  is  empty. 

•  For  all  other  values  of  t,  >il4(s,7r)  =  tt. 

The  following  predicates  are  true  in  any  state  of  DC  satisfying  {Pqc°'^\)^Pdc- 
Recall  that  Pq(^  =  {P'^Qf^joS2)h.Pcc-  If  P'gc^SAs))  is  true,  then  the  GC  predicates 
are  true  in  54(3),  the  COM  predicates  are  true  in  S2{S.i{s)),  and  the  HI  predicates 
are  true  in  <Si (52(«S4(s))).  Thus,  these  predicates  are  deducible  from  Pdc,  together 
with  the  GC,  COM  and  HI  predicates. 

•  DC-P:  If  REPORT(ii;)  is  at  the  head  of  dcqueue{{q, p))  and  (p,q)  =  core{f)  and 

dc..$tatus{p}  =  unfind,  then 

(a)  if  ic  <  bestwt{p),  then  the  minimum-weight  external  link  /  of  /  is  closer  to 
q  than  to  p,  and  wt.{l)  —  w, 

(b)  if  >  be.stwt{p).  then  the  minimum-weight  external  link  1  of  /  is  closer  to 
p  than  to  q,  and  irt{l)  —  hestvjt{p)\  and 

(c)  if  tr  =  bestwt{p).  then  w  =  00  and  there  is  no  external  link  of  f. 


Proo  f: 
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1.  REPORT(ie)  is  at  head  of  dcqueue({q,p)),  by  assumption. 

2.  dcsiaius{p)  —  unfind,  by  assumption. 

3.  (p,  <7)  =  core{f)^  by  assumption. 

4.  q  is  up-to-date,  by  Claims  1  and  3  and  DC-C(a). 

5.  dcstatus{q)  —  unfind,  by  Claims  1  and  3  and  DC-C(b). 

6.  w  =  bestwi(q),  by  Claims  1  and  3  and  DC-C(c). 

7.  q  ^  testaetif),  by  Claims  4  and  5. 

8.  No  FIND  is  in  dcqueue({q,p)),  by  Claims  1  and  3  and  DC-0. 

9.  p  is  up-to-date,  by  Claims  2,  3,  4  and  8  and  DC-T. 

10.  p  ^  tests ei(f),  by  Claims  2  and  9. 

11.  findcount{p)  =  0,  by  Claim  2  and  DC-H(b). 

12.  findcount{q)  =  0,  by  Claim  5  and  DC-H(b). 

13.  All  children  of  p  are  completed,  by  Claims  9  and  11  and  DC-K(a), 

14.  All  children  of  q  are  completed,  by  Claims  4  and  12  and  DC-K(a). 

15.  If  bestwt{p)  =  00,  then  there  is  no  external  link  of  subtree[p),  by  Claims  9,  10 
and  13  and  DC-K(b)  and  (c). 

16.  If  bestwt{p)  ^  00,  then  following  bestlinks  from  p  leads  to  the  minimum- weight 
external  link  I  of  subtrce{p)  and  wt{l)  =  bcstwt{p),  by  Claims  9,  10  and  13,  and 
DC-K(b)  and  (c). 

17.  If  bestwt{q)  =  w  =  00,  then  there  is  no  external  link  of  $ubtree{q),  by  Claims  4, 
6,  7  and  14  and  DC-K(b)  and  (c). 

18.  If  bestwtiq)  ~  w  ^  00,  then  following  bestlinks  from  q  leads  to  the  minimum- 
weight  external  link  I  of  subtree{q)  and  wt(l)  =  lu,  by  Claims  4,  6,  7  and  14  and 
DC-K(b)  and  (c). 

Claims  3  and  15  through  18  give  the  result,  together  with  the  fact  that  edge 
weights  are  distinct.  □ 

•  DC-Q;  If  a  REPORT  is  at  the  head  of  dequeue({q,  p})  and  is  not  headed  toward 
mw-TOot(  f),  then  mbrancJi{p)  —  {p,q)- 

Proof:  If  {p,q)  =  core{f).  then  inhranc.h{p)  =  {p,q)  by  DC-A(a).  Suppose 
(p,  ry)  ^  core{f),  and,  in  contradiction,  that  inbranch(p)  ^  {p,q)-  By  DC-A(g). 
dcstatus{p)  =  find,  and  l;y  DC-I(a)  p  is  up-to-date,  i.e.,  following  inbranches  from  p 
leads  toward  and  over  core(f).  Tims  the  REPORT  in  dcqueue(  {q ,  p)is  headed  toward 
botli  endpoints  of  corc(/),  contradicting  the  hypothesis.  □ 

•  DC-R:  If  dcstatus{p)  =  find,  then  no  REPORT  is  in  dcqueue{inbranch{p)). 


Proof.  Let  in.hra.n(:h{p)  -  {p.q}. 
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1.  dcstatus{p)  =  find,  by  assumption. 

2.  p  is  up-to-date,  by  Claim  1  and  DC-I(a). 

3.  Following  inbranches  from  p  leads  toward  and  over  core(f),  by  Claim  2. 

4.  Either  (p,^)  =  core{f),  or  inbranch(q)  ^  (g,p),  or  no  report  is  in  dc5iie'ue((p,  5)), 
by  Claim  3  and  DC-B(b). 

5.  If  (p,  g)  =  core(f),  then  no  REPORT  is  in  dcqueue{{p,q)),  by  Claim  1  and  DC-C(b). 

6.  If  inbranch(q)  ^  {q,p),  then  no  report  is  in  dcqueue({p,q)),  by  Claim  1  and 
DC-A(d). 

7.  No  report  is  in  dcqueue({p,q)),  by  Claims  4,  5  and  6.  □ 

•  DC-S:  At  most  one  find  message  is  headed  toward  p. 

Proof:  Suppose  a  find  message  is  headed  toward  p. 

1.  A  find  is  in  dcqueue{{q,r)),  by  assumption. 

2.  p  G  subtree{r),  by  assumption. 

3.  dc3tatus{r)  =  unfind,  by  Claim  1  and  DC-D(b). 

4.  dcstatus(t)  —  unfind  for  aU  <  G  subtree(r),  by  Claim  3  and  DC-H(a). 

5.  No  FIND  message  is  in  dcqueue{{t,u)),  for  any  (f,u)  G  subtree(r),  by  Claim  4  and 
DC-D(a). 

If  (g,r)  =  core{f),  Claim  5  proves  the  result.  Suppose  (q,r)  ^  core{f). 

6-  {q,  r)  i=-  core(/),  by  assumption. 

7.  dcstatus(q)  =  find,  by  Claims  1  and  6  and  DC-D(a). 

8.  dcstatus(t)  =  find  for  all  t  between  q  and  the  endpoint  of  core{f)  closest  to  q,  by 
Claim  7  and  DC-H(a). 

9.  No  FIND  message  is  in  dcqueue{{t,u))  for  any  (f,  u)  between  core{f)  and  5,  by 
Claim  8  and  DC-D(b). 

Claim  9  completes  the  proof.  □ 

•  DC-T:  If  {p,q)  =  coreif),  no  find  is  in  dcqueue{{p,q)),  p  is  up-to-date,  and 
dcstatus(q)  =  unfind,  then  q  is  up-to-date. 

Proof: 

1-  (fb?)  =  core(/),  by  assumption. 

2.  No  find  is  in  dcqueue{{p.q)),  by  assumption. 

3.  p  is  up-to-date,  by  as.sumption. 

4.  dcstatus(q)  =  unfind,  by  assumption. 

5.  No  find  is  headed  toward  q.  by  Claims  1  and  2  and  DC-D(a). 
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6.  No  FIND  is  in  dcqueue{{q,p)),  by  Claim  3  and  DC-D(b)  and  (c). 

7.  AfterMerge{p,  q)  is  uui  enabled,  by  Claim  6. 

8.  inbranch(q)  =  {q,p),  by  Claims  5  and  7  and  DC-F. 

9.  q  ^  testset(f),  by  Claims  4,  5  and  7  and  DC-E. 

10.  q  is  up-to-date,  by  Claims  1,  8  and  9.  □ 

Lemma  19:  DC  simulates  GC  via  M.\,  Pdc,  and  Pqc- 

Proof:  By  inspection,  the  types  of  DC,  GC,  M4,  and  Pdc  are  correct.  By  Corol¬ 
lary  16,  P'gc  is  a  predicate  true  in  every  reachable  state  of  GC. 

(1)  Let  s  be  in  start(DC).  Obviously,  Pdc  is  true  in  s,  and  54(3)  is  in 
start(GC). 

(2)  Obviously,  A4{s,n)\ext{GC)  —  'K\ext{DC). 

(3)  Let  (s',7r,  s)  be  a  step  of  DC  such  that  Pqc  i®  i-rue  of  S4{s')  and  Pdc  is 
true  of  s' .  For  (3a)  we  verify  below  only  those  DC  predicates  whose  truth  in  s  is 
not  obvious. 

i)  JT  is  Start(p),  ChangeRoot(f),  IiiTree(l),  or  NotlnTree(l).  A4{s',  tt)  = 
TT.  Obviously  54(s')7r54(s)  is  an  execution  fragment  of  GC  and  Pdc  is  true  in  s. 

ii)  TT  is  ChannelSend(l,m)  or  ChanneIRecv(l,m).  A4{s' ,tx)  is  empty. 
Obviously  S4{s)  —  S4{s')  and  Pdc  is  true  in  s. 

iii)  TT  is  TestNode(p).  Let  /  =  fragment{p)  in  s' . 

(3c)  >44(,s',7r)  =  TT.  Obviously,  tt  is  enabled  in  54(5').  To  show  the  effects 
are  mirrored  in  ^4(5),  we  must  show  that  accmin{f)  is  updated  properly  (which  is 
obvious)  and  that  rainlink^f)  is  unchanged.  Since  p  €  testset{f)  in  s' ,  minlink{f)  = 
nil  in  s'  by  GC-C.  If  accmin{f)  ^  nil,  or  if  p  has  an  external  link  in  s',  then 
accmin{f)  ^  nil  in  s,  and  minlink{f)  is  still  nil  in  s.  If  some  9  ^  p  is  in  testset{f) 
in  s' ,  then  by  DC-E  either  a  find  is  in  subtree{f)  or  dcstatus{q)  —  find;  since  the 
same  is  true  in  s,  minlink{f)  is  still  nil  in  s.  Finally,  if  accmin{f)  =  nil,  p  has  no 
external  link,  and  p  is  the  sole  element  of  testset{f)  in  s',  then  /  has  no  external 
link  in  s'  or  in  s,  and  minlink{f)  is  still  nil  in  s. 

(3a)  Two  cases  are  considered.  First  we  prove  some  facts  true  in  botli  cases. 

Claims  about  s' : 
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1.  dcstaius{p)  =  find,  by  precondition. 

2.  p  e  iestset{f),  by  precondition. 

3.  If  (p,  u),  the  minimum- weight  external  link  of  p,  exists,  then  level(f  )  < 
level{fragment{u)),  by  precondition. 

4.  p  is  up-to-date,  by  Claim  1  and  DC-I(a). 

5.  No  FIND  is  headed  toward  p,  by  Claim  1  and  DC-D(c). 

6.  If  (p,  r)  =  core(/),  then  no  report  is  in  dcqueue{{p,r)),  for  any  r,  by  Claim  1 
and  DC-C(b). 

7.  If  a  REPORT  is  in  dcqueue{{p,r)),  then  inbranch{r)  —  {r,p),  for  aiay  r,  by  Claim 
1  and  DC-A(d). 

8.  AfterMerge{r^t),  where  p  G  subtree(t),  is  not  enabled,  by  Claim  1  and  DC-H(a). 

9.  If  bestlink{p)  =  nil,  then  bestwt(p)  =  oo  and  there  is  no  external  link  of  any  node 
r,  where  r  is  in  the  subtree  of  any  completed  child  of  p,  by  Claims  2  and  4  and 
DC-K(b). 

10.  If  bestlink{p)  ^  nil,  then  following  bestlinks  from  p  leads  to  the  minimum-weight 
external  link  /  of  all  nodes  r,  where  r  is  in  the  subtree  of  any  completed  child  of  p; 
tot{l)  =  bestwt{p)  and  level(f)  <  level(fragment{target{l))),  by  Claims  2  and  4  and 
DC-K(c). 


Case  1:  findcount(p)  ^  0  in  s'. 

More  claims  about  s'  : 

11.  findcountip)  ^  0,  by  assumption. 

12.  findcountip)  >  0i  by  Claim  11  and  DC-M. 

13.  Some  child  r  of  p  is  not  completed,  by  Claims  4  and  12  and  DC-K(a). 

14.  There  is  a  child  r  of  p  such  that  either  some  node  in  subtreeir)  is  in  testsei{f), 
or  a  REPORT  is  in  subtreeir)  or  dcqueuei{r ,p))  headed  toward  p,  by  Claim  13. 

DC-A(c):  By  Claim  7,  changing  bestwt(p)  and  removing  p  from  testsetif)  are 

OK. 


DC-C:  By  Claim  6,  changing  bestwtip)  is  OK. 

DC-D(c):  By  Claim  5,  removing  p  from  testsefif)  is  OK. 

DC-G;  By  Claim  8  and  the  fact  that  dcstaiusip)  is  still  find  in  s.  removing  p 
from  testsetif)  is  OK. 
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DC-I(b):  By  Claim  14,  removing  p  from  iestsei^f)  is  OK. 

DC-K;  (b)  By  Claim  9  and  code,  (c)  by  Claims  3  and  10  and  code. 

DC-N:  If  p  is  inw-minnode{f),  then  by  Claim  4,  removing  p  from  testset{p)  is 

OK. 


Case  2:  findcount(p)  =  0  in  s'.  Let  {p,q)  =  inbranch{p). 

More  claims  about  s' : 

15.  findcount{p)  =  0,  by  assumption. 

16.  If  {p,q)  =  core(f)  and  inbranch{q)  ^  {q,p),  then  a  find  is  in  dcqueue{{p,q)), 
by  Claim  5  and  DC-F. 

17.  All  children  of  p  axe  completed,  by  Claims  3  and  15  and  DC-K(a). 

18.  If  (p,  q)  7^  core(f),  then  dcstatus{q)  =  find,  by  Claim  1  and  DC-H(a). 

19.  If  REPORT  is  in  dcqueue{{q,p)),  then  {p,q)  =  core(f),  by  Claim  4  and  DC-B(a). 

20.  No  REPORT  is  in  dcqueue{{p,q)),  by  Claim  1  and  DC-R. 

21.  If  FIND  is  in  dcqueue({p,q)),  then  (p,q)  =  core{f),  by  Claim  4  and  DC-D(a). 

22.  Every  node  r  ^  p  in  subtree{p)  has  dcsiatus{r)  =  unfind,  by  Claims  1  and  17 
and  DC-I(b). 

23.  Every  node  r  ^  pm  subtree{p)  has  findcount{r)  =  0  by  Claim  22  and  DC-H(b). 

DC- A;  By  Claim  7  and  the  fact  that  inbranch{p)  =  (p,  q),  we  need  only  consider 
the  REPORT  added  to  dcqueue{{p,q)).  (a)  by  Claim  16.  (b),  (c)  and  (d)  by  code, 
(e)  by  Claim  17.  (f)  by  code,  (g)  by  Claims  4  and  18. 

DC-B  for  REPORT  added  to  dcqueue{{p.,q)):  \i  mbranch{q)  =  (g,p},  then  (p,  5)  = 
core{f),  by  Claim  4. 

DC-B  for  REPORT  that  might  be  in  dcqueue{{q,  p)):  by  Claim  19. 

DC-C:  By  Claim  4,  inbranch{p)  is  the  only  relevant  link;  by  Claim  20,  the  new 
message  is  the  only  report  in  that  queiio.  (a)  by  Claim  4.  (b)  and  (c)  by  code. 

DC-D(a)  and  (c):  By  Claim  5,  it  is  OK  to  change  dcstatu3{p)  to  unfind  and 
remove  p  from  t€siset(f). 

DC-E:  The  addition  of  a  report  to  dcqueuei{p,q))  in  .s  cannot  cause  Aff,(:r- 
Mergc{q,p)  to  go  from  enabled  in  s'  to  disabled  in  s,  by  Claim  1. 
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DC-F:  Cf.  DC-E. 

DC-G:  By  Claim  8  and  the  addition  of  report  to  dcqueue{{p,q)),  removing  p 
from  testset{f)  is  OK. 

DC-H:  (a)  By  Claim  22  and  code,  (b)  By  Claim  23. 

DC-I(b):  Suppose  r  ^  qis  some  node  such  that  p  G  suhtree{r)  and  dcstatits{r)  — 
find  in  s'.  By  Claim  4,  removing  p  from  testse1{f)  is  compensated  for  by  adding 
REPORT  to  dcqueue{{p,q)). 

DC-J:  By  Claim  4,  the  only  link  of  p  that  can  be  part  of  core(f)  is  {p,q).  If 
(p,q)  =  core(f)  and  dcstatus{q)  —  find,  then  the  fact  that  dcstatiisip)  becomes 
unfind  in  s  is  compensated  for  by  the  addition  of  report  to  dcqueue({p,q)). 

DC-K(b)  and  (c):  As  in  Case  1. 

DC-N:  As  in  Case  1. 

DC-0:  By  Claims  20,  21  and  code. 

iv)  TT  is  ReceiveReport((q,p),w).  Let  /  =  fragment{p)  in  s'. 

(3b)/(3c)  Case  1:  {p.,q)  =  core{f)  and  dcstatus{p)  =  unfind  and  w  >  bestwt{p) 
in  s'.  Ai{s' ,t;)  =  ComputeMin^f). 

Let  (r, be  the  minimum- weight  external  link  of  /  in  s'.  (Below  we  show  it 
exists.) 

Claims  about  s'; 

1.  REPORt(u))  is  at  the  head  of  dcqueue.{{q,p)),  by  precondition. 

2.  (p,  g)  =  core{f),  by  assumption. 

3.  dcstatus{p)  =  unfind,  by  assumpoon. 

-i.  w  >  bestwi{p),  by  assumption. 

5.  No  FIND  is  in  dcqueue{{qTp)),  by  Claim  1  and  DC-0. 

6.  q  is  up-to-date,  by  Claims  1  and  2  and  DC-C(a). 

7.  p  is  up  tc  date,  by  Claims  2,  3,  5  and  G  and  DC-T. 

S.  dcstatusiq)  =  unfind,  by  Claims  1  and  2  and  DC-C(b). 

9.  bestwtiq)  =  w,  by  Claims  1  and  2  nad  DC-C(c). 

10.  p  =  mw-root{f)  (so  (r,t)  exists),  by  Claims  1,  2,  3  and  4  and  DC-P(b). 

11.  minlinkif)  —  nil,  by  Claims  1  and  10. 
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12.  findcount(p)  =  0,  by  Claim  3  and  DC-H(b). 

13.  findcount{q)  —  0,  by  Claim  8  and  DC-H(b). 

14.  Every  child  of  p  is  completed,  by  Claims  7  and  12  and  DC-K(a). 

15.  Every  child  of  q  is  completed,  by  Claims  6  and  13  and  DC-K(a). 

16.  p  ^  testset{f),  by  Claims  3  and  7. 

17.  q  ^  testset{f),  by  Claims  6  and  S. 

18.  testset{f)  =  0,  by  Claims  14  through  17. 

19.  accmin{f)  =  (r,i),  by  Claims  11  and  18. 

By  Claims  11,  18  and  19,  ComputeMin{f)  is  enabled  in  s' . 

Now  we  must  show  that  the  effects  of  ComputeMin{f)  are  mirrored  in  s.  All 
that  must  be  shown  is  that  Tninlink(f)  and  accmin{f)  are  updated  properly. 

More  claims  about  s' : 

20.  dcstatus{u)  =  unfind,  for  all  u  G  subiree{p),  by  Claim  3  and  DC-H(aj. 

21.  dcstatus{u)  =  unfind,  for  all  u  G  suhtrce{q),  by  Claim  8  and  DC-H(a). 

22.  No  REPORT  is  headed  toward  p  in  3ubtree{p),  by  Claim  14. 

23.  No  REPORT  is  headed  toward  q  in  subtree(q),  by  Claim  15. 

24.  Only  one  report  is  in  subtree(p),  by  DC-0. 

25.  No  FIND  is  in  subtree{f)^  by  Claim  18  and  DC-D(c). 

26.  Following  bestlinks  from  p  leads  to  (r,<),  by  Claims  7,  10,  14  and  16  and  DC-K(b) 
and  (c). 

By  Claims  10  and  20  through  26,  minlink(f)  =  {r,t)  in  s.  By  Claim  19,  this  is 
the  correct  value.  Thus,  accmin{f)  =  nil  in  s. 


Case  2:  {p,q)  core{f)  or  dcstatus(p)  =  find  or  w  <  bestwi{p)  in  s'.  >l4(s',7r) 
is  empty.  We  just  need  to  verify  that  rainlink{f)  and  accmin{f)  are  unchanged  in 
order  to  show  that  54 (s')  =  54(5). 

Subcase  2a:  ip,q)  ^  core{f)  in  s'. 

Suppose  {p.q)  =  inhranch{p)  in  s'.  By  DC-B(b),  dcstatus(p)  =  unfind,  so  the 
only  effect  is  to  remove  the  REPORT.  By  DC-B(a),  p  G  subtreeiq).,  so  this  report 
message  is  not  headed  toward  mw-root(  f)  in  s'.  Thus  minhnk{f)  is  unchanged,  and 
accvun(f)  is  al.so  unchanged. 

Suppose  (p^q)  ^  inbranch{p)  in  s'. 


O) 


Section  4.2.4:  DC  Sinuilates  GC 


Claims  about  s' : 

1.  RF;PORT(te)  is  at  the  head  of  dcque.ue({q,p)),  by  precondition. 

2.  iubranch{p),  by  assumption. 

3-  (Pi</)  ^  core(/),  by  assumption. 

4.  dcstatus(p)  =  find,  by  Claims  1,  2  and  3  and  DC-A(g). 

5.  p  is  up-to-date,  by  Claim  4  and  DC-I(a). 

6.  Following  inbranches  from  p  leads  toward  and  over  core(f),  by  Claim  5. 

7.  A  REPORT  message  is  headed  toward  mv)-rooi(f),  by  Claims  1  and  6. 

S.  minlink{f)  =  nil,  by  Claim  7. 

9.  If  core{f)  =  {p,t)  for  some  t,  then  FIND  is  in  dcqueue{{p,t)),  dcsiaius(t)  =  find, 
or  REPORT  is  in  dcqueue{{t,p)),  by  Claim  4  mid  DC-J. 

Claims  about  s  : 

10.  subtree{f),  core(f),  nodes(f),  and  testset{f)  do  not  change,  by  code. 

11.  REPORT  is  in  inbranchip),  by  code. 

12.  Following  inbranches  from  p  loads  toward  and  over  core(f),  by  Claims  G  and  10 
and  code. 

13.  If  p  ^  mw-root{f),  then  report  is  Iw'aded  toward  mw-root{f),  by  Claims  11 
and  12. 

14.  If  p  =  mw-root(f),  then  find  is  in  dcqueue({p,t)),  dcstatus(t)  =  find,  or  report 
is  in  dcqueue{{t,p)),  where  (p, f)  =  core{f),  by  Claim  9  and  code. 

15.  minlink(f)  =  nil,  by  Claims  13  and  14. 

IG.  ar.cmin{f)  does  not  change,  by  Claims  8,  10  and  15. 

Claims  15  and  IG  give  the  result. 


Subcase  2b:  {p,q)  =  cnrc{  f)  and  dcstatus(p)  —  find  in  s'.  Since  REPORT(i(!) 
is  at  the  head  of  dcqur.u.e{{q,  p)),  DC-A(a)  implies  that  inhranch{p)  =  (p, '?)■  The 
only  change  i.s  that  the  report  in<'.s.sage  i.s  re(jueued.  Obviously  minlink{f)  and 
accmin{f)  are  unchanged. 

Subcase  2e:  (p,q)  —  corc(f)  and  dr.Ha/.usi/))  ~  nnfind  and  tr  <  be.-^tv)t{p)  in 
s'.  As  in  Subcase-  2b,  ni,bra.nch{p)  =  The  only  change-  is  that  the  Ri;pe)U'i 

me-ssage  is  rc-inewe-el.  If  in  —  besiwi{p).  then  by  DC-P(c),  the-re-  is  nee  e-xte-rnal  link  eef 
/  in  s'  or  in  Thus  nu.ulnik(  f)  anrl  a.ecnnn(  f)  are-  be)th  nil  in  s'  anel  .s. 
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Suppose  w  <  bestwi(p).  By  DC-P(a),  q  =  Tnw-rooi{f).  Thus  the  report 
message  in  dcqueue{{q,p))  is  not  headed  toward  mw-root{f)  in  s',  and  no  criteria 
for  minlink(f),  or  accmin(f)  changes. 


(3a)  Case  1:  {p,q)  =  inbranch{p)  in  s'. 


Suppose  dcstaiusijp)  =  find.  By  DC-D(b),  no  find  is  in  dcqueue{{q,p))  in  s'. 
so  by  DC-0,  dcqueue({q,p))  contains  just  the  one  report  message  in  s'.  Since  the 
only  effect  is  to  requeue  the  message,  the  DC  state  is  unchanged. 


Suppose  dc3tatus{p)  —  unfind.  The  only  change  is  the  removal  of  the  report 
message  from  dc5iie«e((g,p)).  By  DC-B(a),  either  (p,  9)  =  core(/),  or  pG  subtree{q) 
in  s'.  In  both  cases,  the  report  is  not  headed  toward  any  node  whose  subtree  it  is 


DC-I(b):  By  remark  above. 


DC-J:  Even  though  report  is  removed  from  dcqueue{{q,p)),  dcstatus{p)  — 
unfind  in  s. 


DC-K(a);  By  remark  above,  renio\  ing  the  report  does  not  affect  the  com¬ 
pleteness  of  any  node's  child. 


Case  2:  {p,q)  ^  inbranch{p).  Let  (p, r)  =  inhranch[p). 


Claims  about  s' : 


1.  report(u!)  is  at  head  of  dcqueue{{q,p)),  by  precondition. 

2-  (PiQ)  inbranch{p),  by  assumption. 

3-  (PiQ)  ^  core(f),  by  Claims  1  and  2  and  DC-A(a). 

4-  {<!■,?)  =  inhranch{q),  by  Claims  1  and  2  and  DC-A(b). 

5.  w  =  bestwt{q),  by  Claims  1  and  2  and  DC-A(c). 

6.  dcsiatus{q)  =  unfind,  by  Claims  1  and  2  and  DC-A(d). 

7.  Every  child  of  q  is  completed,  by  Claims  1  and  2  and  DC-A(e). 

S.  q  ^  tnstset(  f),  l)y  Claims  1  and  2  an<l  DC-A(f). 

9.  dcstatusip)  =  find,  by  Claim  3  and  DC-A(g). 

10.  If  report  is  in  dcqueue{p.t),  then  inbranchit)  =  (t,p),  for  any  t,  by  Claim  9 
and  DC-A(d). 
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11.  p  is  up-to-date,  by  Claim  9  and  DC-I(a). 

12.  inbranch(p)  leads  toward  and  over  core{f),  by  Claim  11. 

13.  9  is  an  uncompleted  child  of  p,  by  Claims  1,  2  and  12. 

14.  findcount{p)  >  1,  by  Claims  11  and  13  and  DC-K(a). 

15.  Only  one  report  is  in  dcqueue{{q, p)) ,  by  Claim  1  and  DC-0. 

16.  q  is  up-to-date,  by  Claims  4,  8  and  12. 

17.  If  REPORT  is  in  dcqueue{{p,t)),  then  (p,<)  ^  core{f),  for  all  t,  by  Claim  9  and 
DC-C(b). 

18.  If  bestwt{p)  —  oo,  then  there  is  no  external  link  of  p  (if  p  ^  testset{f))  or  of  any 
node  in  the  subtree  of  any  completed  child  of  p,  by  Claim  11  and  DC-F(b)  and  (c). 

19.  If  bestwt{p)  7^  oo,  then  following  hestlinks  from  p  leads  to  the  minimum- 
weight  external  link  /  of  all  nodes  in  Cp\  wt{l)  =  bestwt{p);  and  level{f)  < 
ltvel{fragment(target(l))),  by  Claim  11  and  DC-F(b)  and  (c). 

20.  If  le  =  oo,  then  there  is  no  external  link  of  subtree{q),  by  Claims  5,  7,  8  and  16 
and  DC-K(b)  and  (c). 

21.  If  u)  ^  oo,  then  following  hestlinks  from  q  leads  to  the  minimum- weight  external 
link  /  of  subtree(q)]  wt{l)  =  w,  and  level(f)  <  level{fragment(tp.Tget{l))),  by  Claims 
5,  7,  8  and  16  and  DC-F(b)  and  (c). 


Subcase  2a:  p  €  testset{f)  or  findcount{p)  ^  1  in  s' . 

More  claims  about  s'  : 

22.  p  e  testset{f)  or  findcount(p)  7^  1,  by  assumption. 

23.  If  findcount{p)  ^  1,  then  findcount{p)  >  1,  by  Claim  14. 

24.  If  findcount(p)  ^  1,  then  some  child  t  ^  q  of  p  is  not  completed,  by  Claims  11 
and  23  and  DC-K(a). 

25.  If  findcount{p)  =  1,  then  p  6  testset(f),  by  Claim  22. 

DC-A(c):  by  Claim  10,  any  change  to  bestwt{p)  is  OK. 

DC-C:  By  Claim  17,  changing  hestvjt{p)  is  OK. 

DC-F:  Cf.  DC-G. 

DC-G:  Removing  report  from  dcqueue{{q,p))  does  not  cause  Aff,erMerge{p,q) 
to  become  enabled,  by  Claim  3. 

DC-I(b):  Let  t  be  some  node  such  that  p  G  suhtrcc(t)  and  dcstatus(t)  —  find  in 
s' .  By  Claims  24  and  25,  either  a  report  nw'ssage  is  in  subtree{p)  headed  toward 
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p  (and  hence  toward  t),  or  some  node  in  subtree{p)  (and  hence  in  subtree{t))  is  in 
testset(f). 


DC-J:  The  removal  of  the  report  message  is  OK  by  Claim  3. 

DC-K(a):  Since  findcount(p)  is  decremented  by  1,  we  just  need  to  show  that  the 
number  of  uncompleted  children  of  p  decrea.ses  by  1:  by  Claim  1,  9  is  not  completed 
in  s'.  By  Claims  7,  8  and  15  and  code,  q  is  completed  in  s. 

DC-K(b)  and  (c):  by  Claims  18,  19,  20  and  21  and  code. 

DC-M:  By  Claim  14  and  code. 

Subcase  2b:  p  ^  tesUtt(f)  and  jindcouui{p)  —  i. 

26.  p  ^  testset(f).,  by  assumption. 

27.  findcouni(p)  =  1,  by  assumption. 

28.  No  FIND  is  headed  toward  p,  by  Claim  9  and  DC-D(b). 

29.  If  (p,r)  =  core(f)  and  inbranch{r)  ^  (r,p), then  FIND  is  in  dcqueue{{p,r)),  by 
Claim  28  and  DC-F. 

30.  No  REPORT  is  in  dcqueue{{p,r)).,  by  Claim  9  and  DC-R. 

31.  Every  child  of  p  but  q  is  completed,  by  Claims  11,  13,  27  and  DC-K(a). 

32.  No  FIND  is  in  dcqueue{{p,t)),  t  7^  i\  by  Claims  7,  8  and  31  and  DC-D(c). 

33.  If  REPORT  is  in  dcqueue{{r,p)),  then  (p,  r)  =  core{f),  by  Claim  9  and  DC-B(a) 
and  (b). 

34.  If  (p,  r)  core{f),  then  dcstatus{r)  =  find,  by  Claims  9  and  12  and  DC-H(a). 

35.  If  FIND  is  in  dcqueue{{p,r)),  then  (p,  r)  =  core{f),  by  Claim  12  and  DC-D(a). 

DC-A:  By  Claim  10  and  the  fact  that  inbranch(p)  =  (p,  J')),  we  need  only 
consider  the  REPORT  added  to  dcqueue(  {p,r)).  (a)  by  Claim  29.  (b),  (c)  and  (d)  by 
code,  (e)  by  Claim  31  for  any  child  of  p  except  q:  by  Claims  7,  8  and  15  and  code 
for  q.  (f)  by  Claim  8.  (g)  by  Claims  12  and  34. 

DC-B  for  REPORT  added  to  dcqueue({p,r)):  if  inbranch{r)  =  (r.p),  then  by 
Claim  12,  core{f)  =  (p,  r). 

DC-B  for  REPORT  in  dcqueue({r,p)):  By  Claim  33,  core{  f)  =  (p.  r). 

DC-C:  By  Claim  12,  inbranch{p)  is  the  only  relevant  link;  by  Claim  30.  the 


new  message  is  the  only  iiEPORT  message  in  its  queue,  (a)  by  Claim  11.  (b)  and  (c) 
by  code. 
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DC-D(a):  By  Claims  32  and  35,  changing  dcstatus{p)  to  uiifind  is  OK. 

DC-E:  The  addition  of  the  REPOUT  to  dcq7iciie({p,r))  in  .s  cannot  calls'^' 
AfterMeTge{r,p)  to  go  from  enabled  in  s'  to  disabled  in  s,  because  dcstatns{p)  — 
find  in  s'  by  Claim  9. 

DC-F:  Cf.  DC-E. 

DC-H(a):  By  Claims  7  and  8,  no  node  in  suhtree{q)  is  in  testset(f).  By  Claim 
31,  no  node  in  subtree.{t),  for  any  child  t  ^  q  oi  p,  is  in  ie.sUei{f).  By  Claim  23, 
p  ^  tests et{f  ). 

DC-H(b):  By  Claim  27  and  code. 

DC-I(b):  Let  t  ^  p  be  such  that  p  g  suht.rec.{t)  and  dc.status{t)  =  find  in  s'.  By 
Claim  12,  removing  the  REPORT  from  dcqueue({q,p))  is  compensated  for  by  adding 
the  REPORT  to  dcqueue.({p,r)). 

DC-J:  By  Claim  12,  the  only  link  of  p  that  can  be  part  of  core{f)  is  (p,  r).  If 
(p,r)  =  core(/)  and  dcstatus(q)  =  find  in  s',  then  changing  dcstatus{p)  to  unfind  in 
s  is  compensated  for  by  adding  the  report  to  dcqueuc{{p,r)). 

DC-K:  As  in  Subcase  2a. 

DC-M:  Claim  27  and  code. 

DC-0:  by  Claim  30  and  DC-0  and  c<  Ic. 

v)  TT  Is  ReceiveFind( (q,p)).  Let  /  =  fragment[p) . 

(31j)  Ai(.s',7r)  is  emi)ty.  To  show  that  ^4(s')  =  we  just  need  to  show 

that  7ninlink{f)  and  ac.cmin(f)  are  unchanged.  Because  of  the  FIND  message, 
minlinkif)  —  nil  in  s',  and  minlink{f)  =  nil  in  s  since  dcst.atus{p)  =  find.  Since 
there  is  no  change  to  Tninlink(f),  nodes{f),  testset(f)^  or  subtree(f),  accm.in(f)  is 
luichanged. 

(3a)  Claims  a.boat  s' : 

1.  FIND  is  at  head  of  dcqueii.r.({q,p)),  by  precondition. 

2.  AftrrMr.Tgclp.q]  is  not  enabled,  by  precondition. 

3.  If  (/),</)  ^  rorr{  f).  then  p  is  a  child  of  q,  Ijy  Claim  1  and  DC-D(a). 

4.  If  (p,  t/)  ^  corei  f),  then  drsto.tns{q)  —  find,  by  Claim  ]  and  DC-D(a). 
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5.  dcsiatus{p)  =  unfind,  by  Claim  1  and  DC-D(b). 

6.  Every  node  in  subtree{p)  is  in  testsct(f),  by  Claim  1  and  DC-D(c). 

7.  No  REPORT  is  in  dcqueue{{p,r))  with  mbTanch(r)  ^  (r,p),  for  all  r,  by  Claim  G 
and  DC-A(f). 

8.  If  REPORT  is  in  dcqueue({p,r)),  then  {p,r)  ^  core{f}.  for  all  r,  by  Claim  6  and 

DC-C. 

9.  If  REPORT  is  in  dcqueue({q,p)),  then  {p,q)  =  core{f),  by  Claim  1  and  DC-0. 

10.  If  ir,p)  E  subiree(  f),  r  ^  q,  then  r  is  a  child  of  p,  by  Claim  3. 

11.  No  REPORT  is  in  dcqueue{{r,p))^  f  ^  <li  with  inbranch{p)  ^  {p,r)),  by  Claims  6 
and  10  and  DC-A(f). 

12.  No  REPORT  is  in  dcqueue({r,p)),  r  q^  with  inbranch(p)  =  (p,  r),  by  Claim  10 
and  DC-B(a). 

13.  If  (p,  r)  G  S,  then  r  is  a  child  of  p,  by  Claim  10. 

14.  dc3tatus{r)  =  unfind  for  all  r  G  3ubtree{p)^  by  Claim  5  and  DC-H(a). 

15.  If  {p,q)  7^  core(f),  then  dcstatu3{r)  —  find,  for  all  r  such  that  q  G  3ubtree{r), 
by  Claim  4  and  DC-H(a). 

16.  dcqueue({p,r))  is  either  empty  or  contains  only  a  report  for  all  r  such  that 
(p,  r)  G  5.  by  Claims  5  and  13  and  DC-D(a)  and  DC-0. 

17.  If  {p,q)  ^  core{f),  then  following  inln-anches  from  q  leads  toward  and  over 
core(/),  by  Claim  4  and  DC-I(a). 

DC-A(a);  By  Claim  7,  we  need  not  consider  any  REPORT  in  a  link  leaving  p. 
By  Claim  11  we  need  not  consider  any  REPORT  in  a  link  coming  into  p,  except  for 
{q.p).  Since  inbranch(p)  is  set  to  (p.q)  in  .s,  removing  FIND  from  dcqueue{{q,p))  is 
OK. 


DC-B:  By  Claim  9  and  12,  changing  dcsf.atus{p)  is  OK. 

DC-C;  By  Claim  S.  changing  dc3ijdii.3l  i)}  and  bc3t-wtlp)  i.s  OK. 

DC-D:  fa)  by  Claim  13  and  code.  (Id  Ijy  Claim  14.  (c)  by  Claim  C. 

DC-E:  B\'  Claim  12  and  code  (adding  I'IND  messages  and  setting  dcstah  [p] 
fo  find),  renun-ing  I  IND  from  d.(queui:{{q.  p) }  is  OK. 

DC-F:  As  argued  for  DC-I(a).  the  only  ])ossible  link  of  p  that  is  ]>art  of  cori  (  f ) 
is  {p.q).  Since  code  sets  irihrarnh( ji)  to  renK)\’ing  the  f'lXD  i.s  OK. 

DC-lba):  U{p.q]  -  ce7f.( /).  then  changing  f/c,':t«.p/..s(  p)  to  find  is  OK.  If  (p.  7  )  / 
I  ori  l  t  I.  f  Ijejj  Chnm  ]o  jm[)ljes  fliat  it  is  ( )K  to  change  dr.d (itv.3[ p)  to  find. 


p 
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DC-I:  (a)  If  (p,  q)  —  core{f),  then  code  gives  the  result,  since  inbranch{p)  is  set 
to  (p,  q)  and  dcstatus{p)  is  set  to  find.  If  (p,  9)  ^  core{f),  then  Claim  17,  the  fact 
that  p  is  a  child  of  q  by  DC-D(a),  and  code  give  the  result,  (b)  by  Claim  C. 

DC-J:  By  Claims  1  and  2. 

DC-K:  (a)  findcount(p)  =  |5|  =  number  of  children  of  p.  None  is  complete,  by 
Claim  6.  (b)  and  (c)  are  true  by  code,  since  no  children  are  complete. 

DC-L:  by  code  and  Claim  3. 

DC-M;  by  code. 

DC-0:  Removing  the  find  from  dcque.ue{{q,p))  is  OK.  Adding  FIND  to  dc- 
queue{{p,r)),  {p,r)  6  S,  is  OK  by  Claim  16. 

vi)  TT  is  Merge(f,g). 

(3c)  >^4(3',;:)  =  ~.  Obviously  tt  is  enabled  in  Si{s').  Effects  are  mirrored  in 
54(.s)  if  we  can  show  accmin{h)  =  minlink(h)  =  nil  in  s.  Inspecting  the  code  reveals 
that  in  s,  a  find  message  is  in  3ubtree{h),  so  minlink{h)  ~  nil,  and  nodes{h)  = 
testset{h),  so  accmin(h)  =  nil. 

(3a)  Claims  about  s'; 

1.  f  ^  g,  hy  precondition. 

2.  rooichanged{f)  =  true,  by  precondition. 

3.  rootchanged{g)  =  true,  by  precondition. 

4.  minedgeif)  =  minedge{g),  by  precondition. 

5.  minlink{f)  ^  nil,  by  Claim  2  and  COM-B. 

Let  {p,q)  =  7ninlink(f). 

6.  minlink{g)  —  {q,p),  by  Claims  1,  1  and  5. 

7.  No  REPORT  is  headed  toward  root{f),  by  Claim  o. 

8.  No  REPORT  is  headed  toward  root{g),  by  Claim  6. 

9.  No  Fl.ND  is  in  subiree.{  f  ),  by  Claim  5. 

10.  No  FIND  is  in  .tubtree(g).  by  Claim  6. 

11.  dc.'itatu.M  r)  —  unfiiid  for  all  r  £  node.ti  f).  by  Claim  5. 

12.  dcstatus(r)  =  unfind  for  all  r  £  7iode.f{g),  l)y  Claim  6. 

13.  (p.q)  is  the  minimum-weight  external  link  of  /,  by  Claim  5  and  COM-A. 

14.  {q,p)  is  the  minimum-weight  external  link  of  <7,  by  Claim  6  and  COM-A. 

15.  testseti  f)  =  0.  l>y  Claim  5  and  GC-C. 
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16.  testset{g)  =  0,  by  Claim  6  and  GC-C. 

17.  If  REPORT  is  in  dcqueue{{r^t))^  then  inbranch(t)  =  {t,r),  lor  all  (r, t)  6 
subtree{f),  by  Claims  9  and  11  and  DC-A(a)  and  (f). 

18.  If  REPORT  is  in  dcqueue{{r,t)),  then  inbranch(i)  =  for  ah  (r, t)  € 

subtree{f),  by  Claims  10  and  12  and  DC-A(a)  and  (f). 

19.  If  REPORT  is  in  dcqueue({r,t))  and  (r,t)  =  core(f),  then  r  =  root(f),  by  Claim 

7. 

20.  If  REPORT  is  in  dcqueue{{r,t))  and  (r, <)  =  core{g),  then  r  —  rooi{g),  by  Claim 

8. 

21.  If  REPORT  is  in  dcqueue{{r,t))  and  (r,t)  ^  core{f),  then  t  is  a  child  of  r,  for  all 
(r,t)  G  subtree(f)^  by  Claim  17  and  DC-B(a). 

22.  If  REPORT  is  in  dcqueue{{r,t))  and  (r,t)  ^  core{g),  then  t  is  a  child  of  r,  for  all 
(r,t)  G  subiree(g),  by  Claim  18  and  DC-B(a). 

23.  If  REPORT  is  in  dcqueue({r,t)},  then  (r,t)  is  not  on  the  path  between  root(f  ) 
and  p,  for  all  (r,t)  G  subtree{f),  by  Claims  5,  7,  13,  15  and  17  and  DC-N. 

24.  If  REPORT  is  in  dcqueue({r.t)),  then  (r,t)  is  not  on  the  path  between  root{g) 
and  q,  for  all  (r,  t)  G  subiree(g),  by  Claims  6,  8,  14,  16  and  18  and  DC-N. 

25.  dcqueue{{p,q))  is  empty,  by  Claim  13  and  DC-A(g),  DC-B(a)  and  DC-D(a). 

26.  dcqueue{{q,p))  is  empty,  by  Claim  14  and  DC-A(g),  DC-B(a)  and  DC-D(a). 

27.  findcount{r)  =  0  for  all  r  G  nodes(f),  by  Claim  11  and  DC-H(b). 

28.  findcount(r)  =  0  for  all  r  G  nodes(g),  by  Claim  12  and  DC-H(b). 

Claims  about  s: 

29.  subtree{h)  is  the  old  subtree{f)  and  subtree{g)  and  (p,  9),  by  code. 

30.  core{h)  =  (p,q),  by  code. 

31.  testset(h)  =  nodes(h),  by  code. 

32.  dcqueue((p,q))  contains  only  a  find,  by  Claim  25  and  code. 

33.  No  FIND  is  in  any  other  link  of  subtree(h),  by  Claims  9,  10  and  29. 

34.  dcstatus{r)  =  unfind  for  all  r  G  nodes{h),  by  Claims  11,  12  and  29. 

35.  If  REPORT  is  in  dcqueue({r,t)),  then  inbranch(t)  =  (t,r),  for  all  (r,t)  G 
suhtree{h),  by  Claims  17,  18,  25,  26  and  29. 

36.  If  REPORT  is  in  dcqii,eue{{r,t)),  then  t  is  a  child  of  for  all  (r,t)  G  subtrceih). 
Ijy  Claims  21  through  26  and  28. 

37.  Afte.rMerge(q,p)  is  enaided,  by  Claims  30,  32,  33  and  34. 

38.  dc.qucue.(  (q.p))  is  empty,  by  Claim  26. 

39.  find(:oti.ut{7-)  =  0  for  all  r  G  nodes(h),  bj'  Claims  27,  28  and  29. 

DC- A:  Vacmnisly  true,  tjy  Claim  35. 


m 
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DC-B:  By  Cleiims  34  and  36. 

DC-C:  By  Claims  30,  32  and  38. 

DC-D:  The  only  FIND  is  in  dcqueue{{p,  q)) ,  by  Claims  32  and  33.  (a)  by  Claim 
30.  (b)  by  Claim  34.  (c)  by  Claim  31. 

DC-E:  By  Claim  32  for  suhtree{q)\  by  Claim  37  for  subtree{p). 

DC-F:  By  Claims  32  and  37. 

DC-G:  By  Claim  31. 

DC-H:  (a)  by  Claim  34.  (b):  by  Claim  39. 

DC-I:  Vacuously  true  by  Claim  34. 

DC-J:  Vacuously  true  by  Claim  34. 

DC-K:  By  Claims  31  and  34,  none  is  up-to-date. 

DC-M:  By  Claim  39. 

DC-N:  Vacuously  true  by  Claim  31. 

DC-0:  By  Claim  30. 

vii)  TT  is  AfterMerge(p,q).  Let  /  =  fragment{p). 

(3b)  A4{s',7r)  is  empty.  We  just  need  to  show  that  accmin(f)  and  minhnk(f) 
do  not  change.  The  FIND  message(s)  imply  that  minlink{f)  =  nil  in  both  s'  and  s. 
Since  there  is  no  change  to  minlink{f),  nodes(f),  testset{f).  or  subtree{f),  accmin{f) 
does  not  change. 

(3a)  Claims  about  s' : 

1-  [Pi^)  =  core(/),  by  precondition. 

2.  FIND  is  in  dcqueue({q,p)),  by  precondition. 

3.  No  FIND  is  in  dcqueue({p,q)),  by  precondition. 

4.  dcstatus(q)  =  unfind,  by  precondition. 

5.  No  REPORT  is  in  dcqueue{{q,p)),  by  precondition. 

6.  Every  node  in  subtree{q)  is  in  testseHf).  by  Claims  1  through  5  and  DC-G. 

7.  p  G  testsetif),  by  Claim  2  and  DC-D(c). 
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8.  No  REPORT  is  in  dcqueue{{p,q)),  by  Claim  7  and  DC-C. 

9.  dcqueue({q^p))  consists  solely  of  a  find,  by  Claims  2  and  5  and  DC-0. 

10.  dcqueue{{p,q))  is  empty,  by  Claims  3  and  8  and  DC-0. 

11.  (p,q)  E  suhtree{f),  by  Claim  1  and  COM-F. 

Claims  about  s: 

12.  {piq)  =  core{f),  by  Claim  1. 

13.  Every  node  in  subtree{q)  is  in  testset{  f),  by  Claim  6. 

14.  dcqueue{{q,p))  consists  solely  of  FIND,  by  Claim  9. 

15.  dcqueue{{p,q))  consists  solely  of  FIND,  by  Claim  10  and  code. 

16.  dcstatus{q)  —  unfind,  by  Claim  4. 

17.  AfteTMerge{p,q)  is  not  enabled,  by  Claim  15. 

18.  AfterMeTge(q,p)  is  not  enabled,  by  Claim  14. 

DC-D:  (a)  by  Claim  12.  (b)  by  Claim  16.  (c)  by  Claim  13. 

DC-E;  By  Claim  15  (find  in  dcqueue({p,q))  replaces  AfterMerge{p,q)  being 
enabled). 

DC-F:  By  Claim  15  (find  in  dcqueue{{p,q))  replaces  AfterMerge{p,q)  being 
enabled). 

DC-G:  vacuously  true  by  Claims  17  and  18. 

DC-0:  By  Claim  15. 
viii)  TT  is  Absorb(f,g). 

(3c)  A4{s',7r)  =  TT.  Obviously  tt  is  enabled  in  54(5').  Effects  are  mirrored  in 
>54(6 )  if  we  can  show  that  accmin(f)  and  minlink(f)  do  not  change. 

Case  1:  p  ^  iestset{f)  in  s' .  By  GC-C,  minlink{f)  =  nil  in  s' .  By  inspecting 
the  code,  a  FIND  message  is  in  subtree{f)  in  s,  so  minlink(f)  —  nil  in  s  also. 

Suppose  accmin(f)  =  nil  in  s'.  Then  there  is  no  external  link  of  any  <7  E 
nodes{  f)  —  testset[  f)  in  s' .  Since  testset(f)  does  not  change  and  no  formerly  internal 
links  become  external,  accmin(f)  ~  nil  in  s  also. 

Suppose  accmin{f)  =  {q,r)  in  s'.  By  GC-A,  level{f)  <  level{fragment{r)).  So 
by  precondition,  fragment{r)  ^  g.  Since  all  of  nodes{g)  is  added  to  testset(f).  there 
is  no  change  to  nodes{f)  —  testset(f).  Thus  accmin(f)  is  unchanged. 
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Case  2:  p  ^  teaiset{f)  in  s' . 

Claims  about  s' : 

1.  rootchanged{g)  =  true,  by  precondition. 

2.  level{g)  <  level{f),  by  precondition. 

3.  minlink(g)  =  {<l,p)  ^  nil,  by  precondition. 

4.  fragment{p)  =  /,  by  precondition. 

5.  dcstatus{r)  —  unfind  for  all  r  G  nodes{g),  by  Claim  3. 

6.  No  FIND  message  is  in  subtree(g),  by  Claim  3. 

7.  No  REPORT  message  is  headed  toward  mw-root{g),  by  Claim  3. 

8.  root{g)  =  mw-root(g),  by  Claim  3  and  COM-A. 

9.  wt(l)  >  wt{q,p)  for  all  external  links  I  of  g,  by  Claim  3  and  COM-A. 

10.  If  minlink{f)  —  {r,t),  then  level(fragment(t))  >  level{f),  by  COM-A. 

11.  If  minlink{f)  =  {r,t),  then  g  ^  fragment{t),  by  Claims  2  and  10. 

12.  If  accmin{f)  =  {r,  t),  then  level(fragment{t))  >  level(f),  by  GC-A. 

13.  If  accmin(f)  =  (r,  t),  then  g  ^  fragment(t),  by  Claims  2  and  12. 

If  minlink(f)  =  nil  in  s',  then  obviously  it  is  still  nil  in  s.  Suppose  minlink(f)  — 
{r,t)  in  s'.  By  Claims  5,  6,  7,  8  and  11  (and  code),  minlink(f)  =  {r,t)  in  s  as  well. 

If  accmin{f)  =  {r,t)  in  s',  then  it  is  unchanged  in  s  by  Claims  9  and  13. 
Suppose  accmin{f)  =  nil  in  s'.  If  this  is  because  minlink{f)  ^  nil  in  s',  then, 
since  we  just  showed  that  minlink{f)  does  not  change,  accmin{f)  is  still  nil  in  s. 
Suppose  accmin{f)  =  nil  not  because  minlink(f)  =  7^il,  but  because  no  node  in 
nodes{f)  —  tests  has  an  external  link.  But  by  the  assumption  for  this  case, 
p  ^  testset{f),  yet  it  is  in  nodes{f)  by  Claim  4,  and  {p,q)  is  an  external  link  of  p 
by  Claim  3  and  COM-A. 


(3a)  We  consider  two  cases.  First  we  prove  .some  facts  true  in  both  cases. 
Claims  about  s' : 

1.  rootchanged{g)  =  true,  by  precondition. 

2.  level{g)  <  level(  f),  by  precondition. 

3.  minlink{g)  =  {q,p),  by  precondition. 

4.  p  G  nodes{f),  by  precondition. 

•5.  No  REPORT  is  headed  toward  root{g),  by  Claim  3. 

G.  No  FIND  is  in  .mbtrec(g),  by  Claim  3. 
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7.  dcstatus{r)  =  unfiiid,  for  all  r  €  nodes{g),  by  Claim  3. 

8-  (9iP)  is  the  minimum-weight  external  link  of  g,  by  Claim  3  and  COM-A. 

9.  testsct{g)  =  0,  by  Claim  3  and  GC-C. 

10.  q  is  up-to-date,  by  Claim  9  and  DC-N. 

11.  Following  besilinks  from  q  leads  toward  and  over  core{g),  by  Claim  10. 

12.  If  REPORT  is  in  dcqueue{{r,t)),  then  inbranch{t)  =  (t,r),  for  all  {r,t)  G 
subtree{g),  by  Claims  6  and  7  and  DC-A(a)  and  (f). 

13.  If  REPORT  is  in  dcqueue{{r,t))  and  (r,t)  =  core(/),  then  r  =  root{g),  for  all 
(r,t)  G  subtree{g),  by  Claim  5. 

14.  If  REPORT  is  in  dcqueue{{r,t))  and  (r,  <)  ^  core{f),  then  t  is  a  child  of  r,  for  all 
(r,t)  G  3ubtr>:e{g),  by  Claini  9  and  DC-B(a). 

15.  If  REPOirr  is  in  dcquev.e({r,t)).  then  {i\t)  is  not  on  the  path  between  root{g) 
and  q,  for  all  (r,i)  G  3ubtr(:(.(g),  by  Claims  3,  5,  S.  9  and  DC-N. 

16.  No  repout  is  headed  toward  q,  by  Claims  5,  14  and  15. 

17.  dcqueue{{p,q))  and  dcqueue{{q,p))  are  empty,  by  Claim  8  and  DC-A(g),  DC- 
B(a)  and  DC-D(a). 


Case  1:  p  ^  testset{f). 

More  claims  about  s' : 

18.  p  ^  testset{f),  by  assumption. 

19.  AfterMerge(r,t),  where  p  G  subtree{t),  is  not  enabled,  by  Claim  18  and  DC-G. 

20.  No  FIND  is  headed  toward  p,  by  Claim  18  and  DC-C(a). 

DC-A:  By  Claim  12,  vacuously  true  for  any  report  in  old  g  For  a  report 
that  could  be  in  some  dcqueue{{r,t))  with  p  G  subiree{t):  (e)  by  Claims  16  and  17. 

DC-B:  By  Claim  16,  change  in  location  of  core  for  nodes  formerly  in  g  is  OK. 

DC-D(a);  by  Claim  6,  change  in  location  of  core  for  nodes  formerly  in  g  is  OK. 
By  Claim  20,  it  is  OK  not  to  add  nodcs{g)  to  testset{f). 

DC-G:  By  Claim  19,  vacuou-sly  true. 

DC-H(a):  By  Claim  7. 

DC-K:  Choose  any  up-to-date  node  r  in  nodes(f)  in  s.  By  Claims  7  and  11 
and  code,  no  node  that  is  in  uodes(g)  in  .s'  is  up-to-date  in  .s.  Thus  r  is  in  iiodr.s{  f) 
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(a)  If  r  =  p,  then  findcount{p)  is  changed  (incremented  by  1)  if  and  only  if  the 
number  of  children  of  p  that  are  not  completed  is  changed  (increased  by  1).  If  r  p, 
then  neither  findcount{r)  nor  the  number  of  children  of  r  that  are  not  completed  is 
changed. 

(b)  Suppose  bestlink(r)  —  nil  in  s.  Then  the  same  is  true  in  s' .  By  DC-K(b), 
bestwt{r)  =  oo  and  there  is  no  external  link  of  Cr  in  s' .  In  going  to  s,  there  is  no 
change  to  bestwi{r),  and  no  internal  links  become  external. 

(c)  Suppose  bestlink{r)  ^  nil  in  s.  Then  the  same  is  true  in  s'.  Let  I  be  the 
minimum-weight  external  link  of  Cr  in  s'.  By  DC-K(c),  following  bestlinks  from  r 
leads  to  /,  wt{l)  =  be3twi{r),  and  level(h)  >  level{f),  where  h  =  fragment{target{l)) . 
in  s'.  By  the  precondition  on  /evel(p),  h  ^  p  in  s',  and  thus  /  is  still  external  in  s. 
If  p  0  Cr  in  s',  then  Cr  is  unchanged  in  s,  and  the  predicate  is  still  true.  Suppose 
p  G  Cr  in  s'.  By  COM-A,  wt{p,q)  is  less  than  the  weight  of  any  other  external  link 
of  p,  and  thus  wt(l)  is  less  than  the  weight  of  any  external  link  of  g  in  s'.  Thus 
adding  all  the  nodes  of  g  to  Cr  in  going  to  s  does  not  falsify  the  predicate. 

DC-0:  By  Claim  6,  the  former  core(g)  is  OK. 

DC-N:  Let  I  be  the  minimum-weight  external  link  of  /  in  s'.  If  I  ^  (p,  9),  then 
wt(l)  <  ti)<(p,  5),  and  by  Claim  8,  wt{l)  <  wt{l')  for  any  external  link  I'  of  g.  Thus, 
in  s,  /  is  still  the  minimum- weight  external  link  of  s,  and  DC-N  is  true  in  s. 

Now  suppose  I  =  {p,q)-  By  DC-N  and  Claim  18,  p  is  up-to-date.  But  by  DC- 
K(b)  and  (c),  bestlink{p)  =  (p,  ?)  and  level{f)  <  leveling),  wich  contradicts  Claim 
2. 


Case  2:  p  G  testset{f). 

More  claims  about  s'; 

21.  p  G  testset{f)^  by  assumption. 

22.  For  all  {r,t)  such  that  p  G  subtree{r)  and  inbranch{t)  =  (#,?'),  no  REPORT  is  in 
dcqueue{{r,t)),  by  Claim  21  and  DC-A(e). 

23.  A  FIND  is  headed  toward  p,  or  dcstaius(p)  =  find,  or  AfterMcrge{r,t)  is  enabled, 
where  p  G  subtree(t),  by  Claim  21  and  DC-E. 

DC-A(e):  by  Claim  22,  the  addition  of  uncompleted  child  q  to  p  is  OK. 
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DC-B:  As  in  Case  1. 


DC-D:  As  in  Case  1. 


DC-E:  By  Claim  23. 


DC-G:  By  code,  since  all  of  nodes{g)  is  added  to  testset(f). 


DC-H:  Bv  Claim  7. 


DC-K:  As  in  Case  1. 


DC-M:  By  code,  since  findcount{p)  is  incremented. 

DC-N:  By  code,  since  all  of  nodes{g)  is  added  to  testset{f). 
DC-0;  By  Claim  17  and  code. 

Let  P'qq  ~  {Pqc  °  ^  Pdc- 

Corollary  20:  P'dc  every  reachable  state  of  DC. 

Proof:  By  Lemmas  1  and  19. 


4.2.5  NOT  Simulates  COM 

This  automaton  refines  on  COM  by  implementing  the  level  and  core  of  a 
fragment  with  local  variables  nlevel(p)  and  nfrag{p)  for  each  node  p  in  the  fragment, 
and  with  NOTIFY  messages.  When  two  fragments  merge,  a  notify  message  is  sent 
over  one  link  of  the  new  core,  carrying  the  level  and  core  of  the  newly  created 
fragment.  The  action  AfterMeTge{p,q)  adds  such  a  notify  message  to  the  other 
link  of  the  new  core.  A  ComputeMin{f)  action  cannot  occur  until  the  source  of 
minlink{f)  has  the  correct  nlevel,  and  the  target  of  minlink{f)  has  an  nlevel  at  least 
as  big  as  the  source’s.  The  preconditions  for  Absorb{f.,g)  now  include  the  fact  that 
the  level  of  fragment  g  mu.st  be  less  than  the  nlevel  of  the  target  of  minlink{g). 
When  an  Ab3orb(f,g)  occurs,  a  NOTIFY  message  is  sent  to  the  old  fragment  gr,  over 
the  reverse  link  of  Tninlink{g),  with  the  nlevel  and  nfrag  of  the  target  of  minlink(g). 

Define  automaton  NOT  (for  “Notify”)  as  follows. 

The  statf'  consists  of  a  set  fragment^.  Each  element  /  of  the  set  is  called  a 
fragment,  and  has  the  following  components: 
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•  subtTee{f),  a  subgraph  of  G\ 

•  minlink{f),  a  link  of  G  or  nil;  and 

•  rooichanged{f),  a  Boolean. 

For  each  node  p,  there  are  associated  two  variables; 

•  nlevel{p),  a  nonnegative  integer;  and 

•  nfrag{p),  an  edge  of  G  or  nil. 

For  each  link  {p,  q) ,  there  are  associated  three  variables: 

•  nqueuep({p,  q)),  a  FIFO  queue  of  messages  from  p  to  q  waiting  at  p  to  be  sent; 

•  nqueuepg({p,  q)) ,  a  FIFO  queue  of  messages  from  p  to  5  that  are  in  the  com¬ 
munication  channel;  and 

•  nqueueg{{p,q)),  a  FIFO  queue  of  messages  from  p  to  g  waiting  at  q  to  be 
processed. 

The  set  of  possible  messages  M  is  {notify(/,  c)  :  I  >  0,c  €  B(G)}.  The  state 
also  contains  Boolean  variables,  answer€d(l)y  one  for  each  /  €  L(G),  and  Boolean 
variable  awake. 

In  the  start  state  of  N OT,  fragments  has  one  element  for  each  node  in  V(G);  for 
fragment  /  corresponding  to  node  p,  subtree{f)  —  {p},  minlink{f)  is  the  minimum- 
weight  link  adjacent  to  p,  and  rootchanged{f)  is  false.  For  each  node  p,  nlevel{p)  =  0 
and  nfrag{p)  =  nil.  The  message  queues  are  empty.  Each  answered{l)  is  false  and 
awake  is  false. 

We  say  that  a  message  m  is  in  subtree(f)  if  m  is  in  some  nqueue{{q,p))  and 
p  6  nodes{f).  A  NOTIFY  message  is  headed  toward  p  if  it  is  in  nqueue({q,r))  and 
p  G  3ubtree{r).  The  following  are  derived  variables; 

•  For  link  (p,q),  nqueue{{p,q))  is  defined  to  be  nguewe,((p,  y))  ||  nqueuepg{{p,q)) 
(I  nqueuep{{p,q)). 

•  For  fragment  /,  level[f)  =  max{l  :  nlevel{p)  —  I  for  p  G  nodes(f),  or  a 
notify(/,c)  message  is  in  subtree(f  )  for  some  c}. 
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•  For  fragment  /,  core(f)  =  nfrag(p)  if  nlevel(p)  =  level{f)  for  some p  e  nodes{f), 
and  core{f)  =  c,  if  a  NOTiFY(/et)e/(/),  c)  message  is  in  subtree^/). 

As  for  the  DC  action  ReceiveFind,  ReceiveNotify{{q,p),l,c)  is  only  enabled  if 
AfterMerge{p,q)  is  not  enabled,  in  order  to  make  sure  that  q's  side  of  the  subtree 
is  notified  of  the  new  information. 

Input  actions: 

•  Start{p),  p  E  V(G) 

Effects: 

awake  :=  true 

Output  actions: 

•  InTree((p,q}),  (p,q}  E  L{G) 

Preconditions: 
awake  =  true 

(p,  5)  E  3ubiree{fragment{p))  or  {p,q)  =  minlink{fragment{p)) 
answered{{p,  q))  =  false 
Effects: 

an3wered{{p,q))  :=  true 

•  NotInTree{{p,q)),  {p,q)  E  L{G) 

Preconditions: 

fragment{p)  =  fragment{q)  and  {p,q)  ^  3ubtrec{fragment{p)) 
an3wered{{p,q))  =  false 
Effects: 

an3wered{{p,q))  :=  true 
Internal  actions: 


•  Channels  end{{p,  q)  ^m).  {p,q)  E  L{G),  m  E  M 
Preconditions: 

rn  at  head  of  nqueuep{{p,q)) 

Effects: 

dequeue!  nquerte  ^({p,q))) 
enqueue! r//  .  nqueue  { (p,  q))) 


'>3 

sT 


Channel R(:c.v{l^p,q),m)^  {jKq)  E  L{G),  in  E  M 
Preconditions: 
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m  at  head  of  nqu.e.uepq[{p.,q)) 
Effects: 

de(iueue(  nqueuv.  (p,  q))) 
ciiqueue(m,  nqueue ^{{p,  q))) 


•  ReceAveNotify{{q,p),l,c),  {q,p)  6  L{G),  /  >  0,  c  G  E{G) 
Preconditions: 


N0TIFY(/,  c)  at  head  of  nqueuep{{q,p)) 

AfterMerge{p,q)  not  enabled 
Effects: 

dequeue(  nquene^^i  {q,  p) ) ) 
nle.ve.l{p)  :—  I 
nfraq{p)  \—  c 

—  let  S  —  {(p,  r)  :  (p, /')  G  subtract  fragTntnt(p)),r  ^  q] 
enquexie(NOTri'Y( c),  ngweiiCpf^’))  for  all  k  £  S 


•  ComputeMin(f),  f  G  fragments 
Preconditions: 


minlink{f)  ~  nil 

(p,  q)  is  the  minimum- weight  external  link  of  / 
nlevel(p)  =  levrJ{f} 
level{f)  <  nlevel{q) 

Effects: 

minlink(f)  :=  I 


•  Changr.Rout(f),  f  G  fragments 
Preconditions: 


awake  —  true 
rootchanged{f)  =.  false 
ini7ilink{f)  ^  nil 
Effects: 

r()oteha.nge.d{  f)  true 


•  Merged  f,g),  f,g  £  fragmrn.ts 
Preconditions: 

f  /  a 

rnoteha,7i,ged{  f)  =  rootchangedlg)  n.  tnic 
Tmnedge(f)  —  rnined.gedg) 

Effects: 

arid  a  new  ek-meiit  h  to  fragments 


— i 


“II 


Section  4.2.5:  NOT  Simulates  COM 

subtree{h)  :=  subtree{f)  U  subtree[g)  U  minedge{f) 
minlink{h)  :=  nil 
rootchanged{h)  :=  false 

—  let  (p,  g)  =  Tninedge{f)  — 

enqueue(NOTIFY(n/e?)e/(p)  +  l,{p,q)),  nquexiep{{p,q))) 
delete  /  and  g  from  fragments 

•  AfterMerge{p,q),  p.,q  G  V{G) 

Preconditions: 

(Pi  q)  ~  core{fragment(p)) 

NOTlFY(n/e?;eZ(p)  +  l,(p,5))  message  in  nqueue[{q , p)) 
no  NOTlFY(nZeve/(p)  +  !,(?,<)»))  message  in  nqueue{{p,q)) 
nlevtliq)  ^  nlevel{p)  +  1 
Effects: 

enqueue(NOTiFY(n/e’!;e/(p)  +  l,{p,  q)),  nqueue p{{p,  q))) 

•  Ab3orb(f,g)^  f,g^  fragments 

Preconditions: 

rootchanged{g)  =  true 

—  let  {q,p)  =  minlink{g)  — 
leveling)  <  nlevel{p) 
fragment{p)  =  / 

Effects: 

subtree(f)  :=  subtree{f)  U  subtree{g)  U  minedge(g) 
enqueue(NOTiFY(nlevel(p),  nfragip)),  nqueue^{{p^  q))) 
delete  g  from  fragments 

Define  the  following  predicates  on  states  of  NOT.  (All  free  variables  are  uni¬ 
versally  quantified.) 

•  NOT-A:  core{f)  is  well-defined.  (I.e..  the  set  of  all  c  such  that  a  NOTlFY(/ei;- 
el{f),c)  is  in  subtree{f)  or  some  p  €  nodes{f)  has  nlevel(p)  —  level{f)  and 
nfragip)  =  c,  has  exactly  one  element.) 

•  NOT-B:  If  g  G  subtree(p),  then  nlevel{q)  <  nlcvel{p). 

•  NOT-C:  If  (p,  f/)  =  core(f  ),  then  nlevel{p)  >  level{  f  )  —  1. 

•  NOT-D:  If  minlink(f)  =  {p,q),  then  nlevelfp)  =  level{f)  <  nlevel{q). 

•  NOT-E:  If  nfragip)  —  r.orelfragmentl]))),  then  nlevellp)  =  Icvellfragmentlp)). 


H.^ll».W.Rk^K!F.R.wy  It.*  \in  K.ir^H!.«  Vf  W  Mm*  n*  t*  i^»  ».^  iff  v^^j>  n"  v.^ 
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•  NOT-F:  Either  nlevel{p)  =  0  and  nfragip)  =  nil,  or  else  nlevel{p)  >  0  and 
nfragip)  G  subtree{fragment{p)). 

•  NOT-G:  If  nlevel{p)  <  level{fragme7t,i{p)),  then  either  a  NOTlFy(/e'!;e/  (frag- 
ment{p)),  core{fragment{p)))  message  is  headed  toward  p,  or  else  AfCrMcrgc 
{q,r)  is  enabled,  where  p  E  subiree{r). 

•  NOT-H:  If  a  notify(/,c)  message  is  in  nqueMe{{q,p)),  then 

(a)  nlevel{p)  <  /; 

(b)  if  ip,q)  ^  core{fragment{p)),  then  nlevel{q)  >  l\ 

(c.)  if  c  =  core{fragment{p)))  then  I  —  levd{fragment{p))] 

(d)  if  notify(/',  c')  is  ahead  of  the  n’otify(/,c)  in  nqueue{{q,p)),  then  /'  <  /; 

(e)  p  is  a  child  of  q,  or  (p,  </)  =  corc{fragrncnt{p)); 

(f)  if  (p,q)  =  core{fragTne7ii(p)),  then  I  =  level{fragmcnt{p))-, 

(g)  c  E  subtree{fragment{p))\  and 

(h)  /  >  0. 


Let  P.not  be  the  conjunction  of  NOT- A  through  NOT-H. 

In  order  to  show  that  NOT  simulates  COM,  we  define  an  abstraction  mapping 
—  (55, ^Ir))  from  NOT  to  COM.  Define  the  function  S5  from  states{NOT)  to 
states{COM)  by  simply  ignoring  the  message  queues,  and  mapping  the  derived  vari¬ 
ables  leve.l{f)  and  core(f)  in  the  NOT  state  to  the  (non-derived)  variables  leve.l{f) 
and  core(f)  in  the  COM  state.  Define  the  function  as  follows.  Let  s  be  a  state 
of  NOT  and  tt  an  action  of  NOT  enabled  in  .s-. 

•  If  TT  =  Channels end{k,m),  ChannelRecv{k,ni),  ReceivcNotify{kJ,c),  or  After- 
Merge{p,q),  then  «45(s,7r)  is  empty. 

•  For  all  other  values  of  tt,  M5(s,  tt)  =  tt. 

The  following  predicate.s  are  true  in  any  state  of  NOT  satisfying  {Pf-oM  ^ 
P.WOT-  Recall  that  Pf-Qj^j  -  {Ps\  o  5, )  A  Pc  oM-  If  is  true,  then  the 

COM  predicates  are  true  in  5r,(.s),  and  the  Si  luedicates  are  true  in  S\  (^sfs)).  Thus, 
these  predicates  follow  from  Pnot,  together  with  the  HI  and  COM  predicates. 

•  NOT-I:  If  p  =  muino(le(  f),  then  no  No  ril'Y  me.ssage  is  headed  toward  p. 

•  NOT-.J:  For  all  p,  at  most  one  i\'0'FIFY(/,  e)  message  is  headed  toward  p,  for  a 


s’ 


fi.xed  /. 


Lemma  21:  NOT  siniiilutrs  COM  via  Mr,,  Pnot,  '">>^<1  P(  ()\f- 
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Proof:  By  inspection,  the  types  of  NOT,  COM,  M5,  and  Pnot  are  correct.  By 
Corollary  14,  P'coM  ^  predicate  true  in  every  reachable  state  of  COM. 

(Ij  Let  s  be  in  start(N OT).  Obviously  Pr^oT  is  true  in  s  and  S5{s)  is  in 
start{COM). 

(2)  Obviously,  Az{s,'K)\ext{COM)  =  •7r|ea;t(iV0T). 

(3)  Let  {s' ,  TT,s)  be  a  step  of  NOT  such  that  P'com  i®  of  and  Pnot 
is  true  of  s'.  Below,  we  only  show  (3a)  for  those  predicates  that  are  not  obviously 
true  in  s. 

i)  TT  is  Start(p),  InTree(l),  NotlnTree(l),  or  ChangeRoot(f).  ^5(5',  tt)  = 
TT.  Obviously,  <S’5(s')7r<S5(s)  is  an  execution  fragment  of  COM,  and  Pnot  is  true  in 
s. 

ii)  TT  is  ChannelSend(I,m)  or  ChannelRecv(l,m).  A5{s',7t)  is  empty. 
Obviously,  55(5')  =  55(5),  and  Pnot  is  true  in  s. 

iii)  TT  is  ReceiveNotify((q,p),Iic).  Let  /  =  fragment{p). 

(3b)  Az{s' ,7^)  is  empty.  To  show  that  <$5(5)  =  ^5(5'),  we  only  need  to  show 
that  level{f)  and  core{f)  don’t  change.  By  NOT-H(a),  nlevel{p)  <  I  in  s',  and  thus 
nlevel{p)  ^  level{f).  So  changing  nlevel{p)  is  OK.  Also,  since  nlevel{p)  and  nfrag{p) 
are  set  to  I  and  c,  removing  the  notify(/,c)  from  nqueue{{q,p))  is  OK. 

(3a)  NOT-A:  By  code. 

NOT-B:  By  NOT-B,  nlevel{q)  <  nlcvel{r)  for  all  r  such  that  q  E  subtree{r)  in 
s'.  By  NOT-H(b),  if  {p,q)  ^  core{f),  then  nlevel{q)  >  I'm  s'.  Since  nlevel{p)  =  /  in 
s,  the  predicate  is  true. 

NOT-C:  Since  this  predicate  is  true  in  s'  and  fact  that  nlevel{p)  increases. 

NOT-D;  As  argued  in  (3b),  nleve.l{p)  <  /  <  level{f).  By  NOT-D,  p  ^ 
minnode{f)  in  s' ,  or  in  s.  Suppose  p  =  target{minlink{g))  in  s' ,  for  some  g.  Since 
nlevelip)  increases  in  going  from  s'  to  s,  the  predicate  is  still  true  in  s. 

NOT-E:  By  NOT-H(c),  c  =  core{f)  implies  that  /  =  level{f)  in  s'.  So  in  s, 
r  =  nfrag{p)  ~  core.{f)  implies  that  I  =  nlcvd{p)  =  level{f). 

NOT-F:  By  NOT-H(g),  c  ^  nil,  and  by  NOT-H(h),  1  >  0  in  s'.  Thus  in  s, 
c  —  nfTag{p)  ^  nil  and  /  =  nlevei(p)  ^  0. 
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NOT-G:  The  notify(/,c)  message  removed  from  nqu(;ut({q,p))  is  replaced  Ijy 
the  N0TIFY(/, c)  messages  added  to  nqueue({p,r)),  for  all  {p,r)  6  S. 

NOT-H:  Suppose  notify(/,  c)  is  added  to  nqueue{p,r)  in  s.  (I.e.,  (p,r)  G  5.) 

Claims  about  s' : 

1.  notify(/,c)  is  at  head  of  nqiLeue{{q,p)),  by  precondition. 

2.  p  G  3ubtree{q)  or  (p,  g)  =  core{f),  by  Claim  1  and  NOT-H(e). 

3.  r  G  subtree{p),  by  Claim  2  and  definition  of  S. 

4.  nlevel{r)  <  nlevel(p),  by  Claim  3  and  NOT-B. 

5.  nlevel{p)  <  /,  by  Claim  1  and  NOT-H(a). 

6.  If  notify(/',  c')  is  in  nqueuei (p.  t')).  then  /'  <  /,  by  Claims  3  and  5  and  NOT-H(b). 

7.  nlevel{r)  <  /,  by  Claims  4  and  5. 

(a)  by  Claim  7.  (b)  by  Claim  3.  (d;  by  Claim  7.  (e)  by  Claim  3.  (f)  vacuously 
true  by  Claim  3.  (c),  (g)  and  (h)  since  the  same  is  true  for  the  notify(/,c)  in 
nqueue{{q,p))  in  s'. 

iv)  TT  is  ComputeMin(f). 

(3c)  ^5(5',  7r)  =  TT.  Obviously  tt  is  enabled  in  55(5'),  since  by  definition 
nlevel{q)  <  level{fragment{q)).  The  effects  are  obviously  mirrored  in  55(3). 

(3a)  By  the  preconditions,  NOT-D  is  true  in  s.  No  other  predicate  is  affected. 

v)  TT  is  Merge(f,g). 

(3c)  .45(5',  tt)  =  TT.  Obviously  tt  is  enabled  in  55(5').  To  show  that  its  effects  are 
mirrored  in  «S5(s),  we  show  that  level{h)  and  core{h)  are  correct.  Let  minlink{f)  = 
{p,q)  and  I  =  level{f)  in  s'. 

Claims  about  s' : 

1.  minedge{f)  =  minedge{g),  by  precondition. 

2.  level(g)  —  I,  by  Claim  1  and  COM-A. 

3.  rootchanged(f  )  —  true,  by  precondition. 

4.  minlink(f)  ^  nil,  by  Claim  3  and  COM-B. 

5.  nlevel{p)  =  /,  by  Claim  4  and  NOT-D. 

6.  nlevel{r)  <  I  for  all  r  G  nodes{f),  by  definition  of  level{f). 

7.  If  NOTlFY(m,  c)  is  in  subtree{f),  then  t??  <  /,  by  definition  of  level{f). 

8.  rootchanged{g)  =  true,  by  precondition. 
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9.  minlink{g)  ^  ni/,  by  Claim  8  and  COM-B. 

10.  nlevel(q)  =  /,  by  Claims  2  and  9  and  NOT-D. 

11.  nlevel{r)  <  /  for  all  r  6  node3{g),  by  definition  of  level{g). 

12.  If  NOTiFY(m,c)  is  in  subirce{g),  then  m  <  I,  by  definition  of  level{g). 

13.  {p,q)  is  an  external  link  of  /,  by  COM-A. 

14.  nqueue{{p,q})  and  nqueue({q^p))  are  empty,  by  Claim  13  and  NOT-H(e). 
Claims  about  s: 

15.  nlevel{r)  <  /  +  1,  for  all  r  €  nodes{h),  by  Claims  6  and  11  and  code. 

16.  The  only  notify  message  in  subtree(h)  with  level  greater  than  I  is  the  NOTIFy(I+ 
1)(P)9))  message  added  to  nqueue({p,q))^  by  Claims  7,  12  and  14  and  code. 

17.  level(h)  =  /  +  1,  by  Claims  15  and  16. 

IS.  core{h)  =  (p,q),  by  Claims  15  and  16. 

Claims  17  and  18  give  the  result. 


(3a)  Only  fragment  h  needs  to  be  checked. 
NOT-A:  By  Claims  15  and  16. 


NOT-B:  As  argued  in  the  proof  of  NOT-I,  nlevel{r)  =  I  for  all  r  on  the  path 
from  core{f)  to  p,  and  all  r  on  the  path  from  core(g)  to  q.  Since  these  are  the  only 
nodes  affected  by  the  change  of  core,  the  predicate  is  still  true  in  s. 

NOT-C:  By  Claims  5,  10  and  17. 

NOT-D:  vacuously  true  since  minlink{h)  =  nil  by  code. 

NOT-E:  By  NOT-F  and  Claim  13,  nfrag(r)  7^  (p,  <7)  for  all  r  in  nodes(f)  or 
nodes(g).  So  the  predicate  is  vacuously  true. 

NOT-F:  No  relevant  change. 

NOT-G:  If  r  is  in  nodes(g)  in  s',  the  predicate  is  true  in  s  because  of  Claims  17 
and  18  and  the  notify(/  -t- 1,  (p,?))  added  to  nqueue{{p,  q))  in  s.  If  r  is  in  nodes{f) 
in  s',  then  AfterMerge{q,p)  is  enabled  in  a,  by  code  and  Claims  5,  10,  14  and  18. 

NOT-H  for  the  NOTlFY(/-f-l,(p,g))  added  to  7igueue((p,g)):  (a)  nlevel{q)  <  l+l, 
by  Claim  15.  (b)  By  Claim  18.  (c)  By  Claim  17.  fd)  Vacuously  true  by  Claim  14. 
(c)  By  Claim  18.  (t)  By  Claims  17  and  18.  (g)  By  code,  (h)  By  COM-F,  I  >  0,  so 


1+1  >0. 
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NOT-H  for  any  notify(/',  c')  message  in  subtree{f)  in  s'  (similar  argument  for 
g):  (a),  (d),  (g)  and  (h)  No  relevant  change. 

(b)  Suppose  the  message  is  in  a  link  of  core{f)  =  (r,t).  Suppose  p  6  3ubtree{t). 
By  NOT-I,  the  message  is  not  in  nqueue{{r,t)).  As  argued  in  the  proof  of  NOT-I. 
nlevel{t)  =  1.  If  the  message  is  in  nqueue{{t,r)),  then,  since  I'  <  /,  the  predicate  is 
true  in  s. 

(c)  By  Claim  13  and  NOT-H(g),  c'  ^  (p,<?),  so  the  predicate  is  vacuously  true 

in  s. 


(e)  The  only  nodes  for  which  the  subtree  relationship  changes  are  those  along 
the  path  from  core(/)  to  p.  By  NOT-I,  there  is  no  notify  message  in  this  path. 

(f)  Vacuously  true,  by  Claim  18. 

vi)  TT  is  AfterMerge(p,q).  Let  /  =  fragment{p). 

(3b)  ^5(5')  is  empty.  Obviously  Sryis')  =  <S5(s). 

(3a)  Let  /  =  nlevel{p)  -H  1  and  c  =  (p,q)- 
NOT-A:  Obvious. 

NOT-B,  C,  D,  and  E:  No  relevant  changes. 

NOT-G;  The  notify(/,c)  message  added  to  nqueue{{p,  q))  in  s  compensates 
for  the  fact  that  AfterMerge{p,  q)  goes  from  enabled  in  s'  to  disabled  in  s. 

NOT-H:  Let  c  =  {p,q)  and  /  =  nlevel(p)  -H  1.  Consider  the  notify(/,  c)  added 
to  nqueue{{p,q)). 

(P:?)  =  <^^^^(/))  by  precondition. 

2.  NOTIFy(/,  c)  is  in  nqueue{{q,p)),  by  precondition. 

3.  No  notify(/,c)  is  in  nqueue{{p,q)),  by  precondition. 

4.  nlevel{q)  ^  /,  by  precondition. 

5.  I  =  level{f),  by  Claims  1  and  2  and  NOT-H(f). 

6.  nlevel{q)  <  I,  by  Claims  4  and  5. 

7.  If  notify(/',  c')  is  in  nqtieue({p,  q)),  then  V  =  /,  by  Claims  1  and  5  and  NOT-H(d). 

8.  If  notify(/',c')  is  in  nqu,cu,c([p,q)),  then  J  -  e,  bj  Claim  1  and  NOT-A. 

9.  No  NOTIFY  is  in  nqueue({p,q)),  by  Claims  3,  7  and  8. 

10.  nlevel(p)  >  0,  by  NOT-F. 
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(a)  by  Claim  6.  (b)  vacuously  true,  by  Claim  1.  (c)  by  Claim  5.  (d)  by  Claim 

9.  (e)  by  Claim  1.  (f)  by  Claim  5.  (g)  by  Claim  1  and  COM-F.  (h)  by  Claim  10. 

vii)  n  is  Absorb(f,g). 

(3c)  A(s',  Tt)  =  TT. 

Claims  about  s'  : 

1.  Tootchangcd{g)  =  true,  by  precondition. 

2.  level{g)  <  nlevel{p)^  by  precondition. 

3.  fragment{j))  =  /,  by  precondition. 

4.  nlevel{p)  <  level(  f),  by  Claim  3  and  definition  of  level. 

5.  nlevel{r)  <  level{g),  for  all  r  €  nodes{g)^  by  definition  of  level. 

6.  If  notify(/,  c)  is  in  subtr€e(g),  then  /  <  leveling),  by  definition  of  level. 

7.  {q,p)  is  an  external  link  of  </,  by  COM-A. 

8.  nqueue{{p,q))  and  nqueue[{q,p))  are  empty,  by  Claim  7  and  NOT-H(e). 

Bv  Claim  4,  tt  is  enabled  in  65(3').  The  effects  of  tt  are  mirrored  in  S^ls) 
if  coTe[f)  and  level(f)  are  unchanged;  by  code  aind  Claims  6,  7  and  8,  they  are 
unchanged. 

f3a)  Let  /  =  nlevel{p)  and  c  =  nfrag{p)  in  s'. 

More  claims  about  s': 

9-  f  by  Claims  7  and  3. 

10.  level{f)  >  0,  by  Claims  2  and  3  and  COM-F. 

11.  core(f)  E  subtre€{f),  by  Claim  10  and  COM-F. 

12.  njTag(r)  core{f),  for  all  r  E  nodes{g),  by  Claim  11  and  NOT-F. 

13.  nlevel{q)  <  level{g),  by  definition. 

14.  nfrag(p)  E  subtree(f),  by  Claims  2  and  10  and  NOT-F. 

NOT-A:  by  code  and  Claims  6,  7  and  8. 

NOT-B:  Same  argument  as  for  Merge{f,g). 

NOT-D;  No  relevant  changes. 

NOT-E:  By  Claim  12,  vacuously  true  for  nodes  formerly  in  nodes{g). 

NOT-F:  No  relevant  changes. 
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NOT-G:  Suppose  nlevel(p)  =  level(f)  in  s'.  By  code,  in  s  there  is  a 
NOTIFY(/eve/(/),c)  message  headed  toward  every  node  formerly  in  nodes(g). 

Suppose  nlevel{p)  ^  level{f)  in  s'.  By  NOT-G,  either  a  NOTlFY(/eve/(/),  ^’) 
message  is  headed  toward  p  in  s',  and  thus  is  headed  toward  all  nodes  formerly  in 
nodes[g)  in  s,  or  AfterMtrge{r,t)  is  enabled  in  s'  with  p  G  subtree(t),  and  thus  in  s, 
AfterMerge{r,t)  is  still  enabled  and  every  node  formerly  in  nodes(g)  is  in  subtTee{t). 

NOT-H  for  the  notify(1,c)  added  to  nqueue({p,  q)):  (a)  by  Claims  2  and  12. 
(b)  by  code,  (c)  by  NOT-E.  (d)  vacuously  true  by  Claim  8.  (e)  g  is  a  child  of  p,  by 
Claim  11.  (f)  vacuously  true,  by  Claim  11.  (g)  by  Claim  14.  (h)  by  Claims  2  and 
10. 

NOT-H  for  any  notify(/',  c')  in  subtree{g)  in  s'\  (a),  (d),  (g)  and  (h):  no 
relevant  change,  (b)  and  (e)  same  argument  as  for  Merge{f,g).  (c)  vacuously  true, 
by  Claim  11.  (f)  vacuously  true,  by  code.  □ 

Let  P'fjoT  —  (PcoM  oSs)  A  Pnot- 
Corollary  22;  P}^oT  every  reachable  state  of  NOT. 

Proof:  By  Lemmas  1  and  21.  □ 
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Section  4.2.C;  CON  Simulates  COM 

4.2.6  CON  Simulates  OM 

This  automaton  concentrates  on  what  happens  after  minlink{f)  is  identified, 
until  fragment  /  merges  or  is  absorbed,  i.e.,  the  ChangeRoot{f,g),  Merge(f,g)  and 
Absorb{g,  f)  actions  axe  broken  down  into  a  series  of  actions,  involving  message¬ 
passsing.  The  variable  rooichanged(f)  is  now  derived.  As  soon  as  CompuieMin{f) 
occurs,  the  node  adjacent  to  the  core  closest  to  Tninlink(  f)  sends  a  changeroot 
message  on  its  outgoing  link  that  leads  to  minlink{f).  A  chain  of  such  messages 
makes  its  way  to  the  source  of  minlink{f)^  which  then  sends  a  cONNECT(/e-!;e/(/)) 
message  over  minlink{f).  The  presence  of  a  connect  message  in  minlink(f)  means 
that  rootchanged{f)  is  true.  Thus,  the  ChangeRoot{f)  action  is  only  needed  for 
fragments  /  consisting  of  a  single  node.  Two  fragments  can  merge  when  they  have 
the  same  minedge  and  a  connect  message  is  in  both  its  links;  the  result  is  that  one  of 
the  connect  messages  is  removed.  The  action  AfterMeTge{p,q)  removes  the  other 
connect  message  from  the  new  core.  (A  delicate  point  is  that  ComputeMin{f) 
cannot  occur  until  the  appropriate  AfterMeTge(p,q)  has,  in  order  to  make  sure  old 
connect  messages  are  not  hanging  around.)  Absorb(f,g)  can  occur  if  there  is  a 
connect(/)  message  in  minlink(g),  and  minlink{g)  points  to  a  fragment  whose  level 
is  greater  than  1. 

Define  automaton  CON  (for  “Connect”)  as  follows. 

The  state  consists  of  a  set  fragments.  Each  element  /  of  the  set  is  called  a 
fragment,  and  has  the  following  components: 

•  subtree{f),  a  subgraph  of  G; 

•  core{f),  an  edge  of  G  or  nil; 

•  level{f),  a  nonnegative  integer;  and 

•  minlink(f  ),  a  link  of  G  or  nil. 

For  each  link  {p,q),  there  are  associated  three  variables: 

•  cqueuep{{p,q)),  a  FIFO  queue  of  messages  from  p  to  q  waiting  at  p  to  be  sent; 

•  cqueuepq({p,  q)),  a  FIFO  queue  of  messages  from  p  to  q  that  are  in  the  commu¬ 
nication  channel;  and 

•  (:qucueq({p,q)),  a  FIFO  (lueue  of  messages  from  p  to  q  waiting  at  q  to  be 
processed. 
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The  set  of  possible  messages  M  is  {(:oNNKt’'r(/)  :  /  >  0}  U  {chancuokoo r}.  The 
state  also  contains  Boolean  variables,  answ€red(l),  one  for  each  /  €  L{G),  and 
Boolean  variable  awake. 

In  the  start  state  of  COM .  fragments  has  one  element  for  t'ach  node  in  V'(  G):  for 
fragment  /  corresponding  to  node  p,  subtrei.{f)  =  {p},  corc{f)  =  nil,  lcvcl{f)  =  0, 
and  minlink{f)  is  the  mininmm-weight  link  adjacent  to  p.  The  message  (juenes  are 
empty.  Each  answered{l)  is  false  and  awake  is  false. 

The  derived  variable  cqueue({p,q))  is  cqucueg({p,q))  ||  cqueuepg{{p,q))  ||  c- 
qtieuep{{p,q)).  For  each  fragment  /,  \v«'  define  the  derived  Booh'an  variabh' 
rootchanged{  f)  to  be  true  if  mid  only  if  a  connect  message  is  in  cqucue({p,q)), 
for  some  external  link  {p,q)  of  /.  Derived  variable  tominlink{p)  is  defined  to  bc' 
the  link  {p,q)  such  that  (p,q)  is  on  the  path  in  subtTee(fragment[p))  from  p  to 
minnode{fragment{p)). 

Message  m  is  defined  to  be  in  snbf.ree(f)  if  ni  is  in  cqueue{{q,  p))  and  p  G 
nodes{f). 

Input  actions: 

•  StaTt{p),  p  e  V{G) 

Effects: 

awake  :=  true 

Output  actions: 

•  lnTree{{p,q)),  {p,q)  G  1(G) 

Preconditions: 
av)ake  =  true 

{p,q)  G  subtrcc{fragjncnt{p))  or  {j>,q)  —  minlink[fragment{p)) 
answered{{p,q))  =  false 

Effects: 

an.‘twered{{p,q))  :=  true 

•  NotInTree({p,q)),  {p,q)  G  L{G) 

Preconditions: 

fragment(p)  =  fTaginen1.(q)  and  (p, </)  ^  !^ubtTee{fragment{p)) 
an.‘<  wered{  {p.  q) )  false 

Effects: 

an.‘fv>err.d({p,(i))  true 
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Internal  actions: 

•  Channels end{{p,q),m),  {p,q)  €  L{G),  me  M 

Preconditions: 

m  at  head  of  cqtieuep{{p,q)) 

Effects: 

dequeue(  cqueuep{  (p,  q) ) ) 
enqueue(m,  cqueutpq{{p.,q))) 

•  CkannelRecv{{p,q),m),  {p,q)  G  L{G),  me  M 

Preconditions: 

m  at  head  of  cqueuepqi{p,q)) 

Effects: 

dequeue( cqueuep^({p,  q))) 
enqueue(m,  cqueue^{{p,q))) 

•  ComputeMin{f),  f  €  fragments 

Preconditions: 
minlink{f)  =  nil 

I  is  the  minimum-weight  external  link  of  suhtTee{f) 
level{f)  <  leveJ(fragment(target{l))) 

no  CONNECT  message  is  in  cqueue{k),  for  any  internal  link  k  oi  f 
Effects: 

minlink{f)  :=  I 

—  let  p  =  root{f)  — 

ifpT^  minnodeif)  then  enqueue(CHANGEROOT,c5ueuep(tomm/mfc(p))) 

else  enqueue(cONNECT(  le  vel{f  )),  cqueuCpl minlink{f))) 

•  ReceiveChangeRoot{{q,p)),  {q,p)  G  L(G) 

Preconditions: 

CHANGEROOT  at  head  of  cqueuep{{q,p)) 

Effects: 

dequeue(cg'wewep((<7,p))) 

—  let  /  =  fragment{p)  — 

ifp^  minnodeif)  then  cminrnc{cUAtiGEKOOT,cqueuCpitominlink{p))) 
else  enqueue(C0NNECT(/e?;e/(/)),  cqueuep{minlink{f))) 

•  ChangeRootif),  f  G  fragm.ents 

Preconditions: 
awake  —  true 
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rootchanged{f)  —  false 
3ubtrce{f)  =  {p} 

Effects; 

enqueue(coNNECT(0),  cqueue^i minlink{ /))) 

•  Merge{f,g),  f,g  £  fragments 

Preconditions: 

connect(/)  in  cqueue({p,q)),  external  link  of  / 

CONNECt(Z)  at  head  of  cqueuep{{q,p)),  {q,p)  external  link  of  g 
Effects: 

dequeue(  cqueuep{{q,  p))) 

add  a  new  element  h  to  fragments 

subtree{h)  ;=  subtree{f)  U  subtree{g)  U  minedge[f) 

core{h)  :=  minedge{f) 

level(h)  :=  level{f)  -f  1 

minlink(h)  nil 

delete  /  and  g  from  fragments 

•  AfteTMerge{p,q),  p,q  £  V{G) 

Preconditions: 
fragment{p)  =  fragment{q) 
connect(Z)  at  head  of  cqueuep({q, p)) 

Effects: 

dequeue(  cqueuep{  {q,p))) 

•  Absorb{f,g),  f^g£  fragments 

Preconditions; 

—  let  p  =  iargei(minlink(g)) 

CONNECt(/)  at  head  of  cqueuep{minlink{g)) 

I  level{f) 
f  =  fragment{p) 

Effects: 

dequeue(  cqueuep{  minlink(g) ) ) 

subtree{f)  :=  subtree{f)  U  subtree{g)  U  minedge[g) 

delete  g  from  fragments 

Define  the  following  predicates  on  states  of  CON.  (All  free  variables  are  uni 
ersally  quantified.) 


•  CON- A;  If  awake  —  false,  then  cqueue({q,p))  is  empty. 
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•  CON-B:  If  rooichanged{f)  =  false  and  minlink(f)  ^  nil,  then  either  subtree^/ ) 
=  {p},  or  else  minnode{  f)  ^  rooi{f  )  and  there  is  exactly  one  changeroot 
message  in  subtree{f). 

•  CON-C;  If  a  CHANGEROOT  message  is  in  cgueue{{q,p)),  then  minlink{f)  ^  nil, 
rootchanged{f)  =  false,  p  is  a  chila  of  q,  and  minnode{f)  6  subtree{p),  where 
f  =  fragment{p). 

•  CON-D:  If  a  C0NNECT(/)  message  is  in  cqueue(k),  where  k  is  an  external  link 
of  /,  then  k  =  minlink{f),  I  =  level(f),  and  only  one  CONNECT  message  is  in 
cqueue{k). 

•  CON-E:  If  a  CONNECt(/)  message  is  in  :queue({p,q)),  where  {p,q)  is  an  internal 
link  of  /.  then  (p.q)  —  core{f),  I  <  Icvel^f),  and  only  one  connect  message  is 
in  cquevr{{p,q)). 

•  CON-F:  If  minlinkij )  nil,  then  no  CONNEC'T  message  is  in  cqueue{k),  for  any 
internal  link  k  of  /. 

Let  PcoN  he  the  conjunction  of  CON-A  through  CON-F. 

In  order  to  show  that  CON  simulates  COM,  we  define  an  abstraction  mapping 
Me  =  (Se.Ae)  from  CON  to  COM. 

Define  the  function  Se  from  states{CON)  to  states{COM)  by  simply  ignoring 
the  message  queues,  and  mapping  the  derived  variables  rootchanged{f)  in  the  CON 
state  to  the  (non-derived)  variables  rootchanged{f)  in  the  COM  state. 

Define  the  function  Ae  Rs  follows.  Let  s  be  a  state  of  CON  and  tt  an  ac¬ 
tion  of  CON  enabled  in  5.  If  the  minimum- weight  external  link  of  /  is  adjacent 
to  core{J),  then  ComputeMin{f)  causes  ComputeMin{f),  immediately  followed  by 
ChangeRooi{f),  to  be  simulated  in  COM.  Otherwise,  CkangeRoot{f)  is  simulated 
when  the  source  of  minlink{f)  receives  a  changeroot  message. 

•  If  TT  =  Channels cnd{{p,q).m),  ChannclRecv{{p,q),m),  or  AfterMerge{p,q), 
then  M6(  s,7r)  is  empty. 

•  If  TT  =r  ComputeMin{f)  and  mw-rooi(f)  =  min-minnode{f)  in  s,  then 

=  CompnteMin{f)  f  ChangeRooi.{  f).  where  t  is  identical  to  Se{s)  except  that 
viinlinki  f)  equals  the  minimum- weight  external  link  of  /  in  t. 
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•  If  TT  =  ComputeMin{f)  and  7nw-root{  f)  ^  mw-iiiinnod(‘.[f)  in  .s,  tln'ii  ^r>(^,7r) 
=  CompuieMin{f). 

•  If  TT  =  RexeiveChangeRoot{{q,p))  and  p  —  minnodc{fragmcni(p))  in  then 
^g(<:,7r)  =  ChangeRooi{fragment{p)). 

•  If  TT  =  ReceiveChangeRoot{{q,p'^ ;  and  p  /  minnode.{fragment{p))  in  .s,  then 

tt)  is  empty. 

•  For  all  other  values  of  tt,  ^6(s,7r)  =  tt. 

Recall  that  P'coM  ~  {Phi  o  S\)  /\  Pcom-  If  Pcom{^6{s))  is  true,  then  the 
COM  predicates  are  true  in  Sq{s),  and  the  HI  predicates  are  true  in  »Si(56(s)). 

Lemma  23;  CON  simuiates  COM  via  PcON,  and  P'coM- 

Proof:  By  inspection,  the  types  of  CON ,  COM ,  Me,  and  PcoN  are  correct.  By 
Corollary  14,  P'coM  ^  predicate  true  in  every  reachable  state  of  COM. 

(1)  Let  s  be  in  start{CON).  Obviously  PcoN  is  true  in  a  and  S6{s)  is  in 
start(COM). 

(2)  Obviously,  A6(s,7r}lext(COM)  =  Tr\ext(COA^). 

(3)  Let  (s',  TT,  s)  be  a  step  of  CON  such  that  P'com  of  S(,{s')  and  PcoN 

is  true  of  s'.  Below  we  show  (3a)  only  for  those  predicates  that  are  not  obviously 
true  in  s. 

i)  TT  is  Start(p),  InTree(I)  or  NotlnTree(l).  M6(5',7r)  =  tt.  Obviously, 
Sq{s')ttS6{s)  is  an  execution  fragment  of  COM,  and  PcoN  is  true  in  s. 

ii)  77  is  ChannelSend((q,p),m)  or  ChannelRecv((q,p),m).  M6(s',7r)  is 
empty.  Obviously,  <S6(s')  =  <S6(s),  and  Pcoy  is  true  in  s. 

iii)  TV  is  ComputeMin(f). 

Case  1:  Tnw-root(f)  ^  mw-minnode(  f )  in  s'. 

(3b)  Mf,(s',7r)  =:  77.  Obviously  <S(i(s')77.56(s)  is  an  execution  fragment  of  COM. 
(3a)  Claims  about  s' : 


1.  m.inlinki  f)  =  nil,  by  precondition. 


Section  4.2.6:  CON  Simulates  COM 


2.  I  is  the  minimum-weight  external  link  of  /,  by  precondition. 

3.  level{f)  <  level(frag'ment{target{l))),  by  precondition. 

4.  No  CONNECT  message  is  in  cqueue(k),  for  any  internal  link  k  of  /,  by  precondition. 

5.  p  =  Tnw-root{f),  by  assumption. 

6.  p  ^  mw-minnode{  f),  by  a.ssumption. 

7.  awake  =  true,  by  Claim  1  and  COM-C. 

8.  No  CHANGEROOT  mesage  is  in  subtree{f),  by  Claim  1  and  CON-C. 

9.  mw-minnodt{f)  G  subtree{p)^  by  Claim  5. 

10.  rontchangedif)  =  false,  by  Claim  1  and  COM-B. 

Claim.‘<  about  s: 

11.  minlink{f)  =  /,  the  minimum- weight  external  link  of  /,  by  Claim  2  and  code. 

12.  level(f  )  <  level{fragment{target{l))),  by  Claim  3. 

13.  p  =  root{f),  by  Claims  5  and  11. 

14.  p  7^  minnode{f),  by  Claims  6  and  11. 

15.  awake  =  true,  by  Claim  7. 

16.  Exactly  one  changeroot  message  is  in  subtree{f),  by  Claim  8  and  code. 

17.  minnodeif)  €  subiree(p),  by  Claims  9  and  11. 

18.  rootchanged{f)  =  false,  by  Claim  10. 

19.  No  connect  message  is  in  cqueue{k),  for  any  internal  link  k  of  /,  by  Claim  4. 

CON-A  is  true  by  Claim  15.  CON-B  is  true  by  Claims  13,  14,  and  16.  CON-C 
is  true  by  definition  of  tominlink,  Claims  17,  18  and  11.  CON-D  and  CON-E  are 
true  since  no  relevant  changes  are  made.  CON-F  is  true  by  Claim  19. 


Case  2:  mw-Toot{f)  —  mw-minnode(f)  in  s'. 

(3b)  riels',  tt)  —  n  t  ChangeRoot[  f).  where  t  is  identical  to  Se(s')  except  that 
rninlinkif)  equals  the  minimum- weight  external  link  of  /  in  t. 

Claims  about  s' : 

1.  minlink{f  )  —  nil,  by  precondition. 

2.  /  is  the  minimum-weight  external  link  of  /,  by  precondition. 

3.  level(f)  <  level{fragmr.nt{target{l))),  by  precondition. 

4.  awake.  —  tnie,  Ijy  Claim  1  and  COM-C. 

•5.  T()oichn.ngr.d{f)  =  false,  by  Claim  1  and  COM-B. 


w*' 
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Claims  aboui  t: 

6.  minlink{f)  is  the  minimum- weight  external  link  of  /,  by  definition  of  t. 

7.  awake  =  true,  by  Claim  4. 

8.  rootchanged{f)  =  false,  by  Claim  5. 

Claims  about  s: 

9.  minlink{f)  is  the  minimum-weight  external  link  of  /,  by  code. 

10.  A  CONNECT  message  is  in  cqueue{minlinh(  f)),  by  code. 

11.  Tootchanged{f)  =  true,  by  Claims  9  and  10. 

By  Claims  1,  2  and  3,  n  is  enabled  in  Sei(s').  By  Claim  C  (and  definition  of  t), 
the  effects  of  tt  are  mirrored  in  t.  By  Claims  G,  7,  and  8,  ChangeRoot{f)  is  enabled 
in  t.  By  Claim  11  (and  definition  of  t),  the  effects  of  ChangeRoot{f)  are  miirored  in 
<56('S).  Therefore,  ^6(5^^  ^  Change Root{f)Se(s)  is  an  execution  fragment  of  COM. 


(3a)  More  claims  about  s' : 

12.  No  CHANGEROOT  message  is  in  subtree{f),  by  Claim  1  and  CON-C. 

13.  No  CONNECT  message  is  in  any  cque,ue{k),  where  k  is  an  external  link  of  /,  by 
Cleiim  1  and  CON-D. 

14.  No  CONNECT  message  is  in  any  cqueue{k),  where  k  is  an  internal  link  of  /,  by 
precondition. 

More  claims  about  s: 

15.  awake  =  true,  by  Claim  4. 

16.  No  CHANGEROOT  message  is  in  subtree{  f),  by  Claim  12. 

CON-A  is  true  by  Claim  15.  CON-B  is  true  by  Claim  11.  CON-C  is  true  by 
Claim  16.  CON-D  is  true  by  Claims  9,  10,  and  13  and  code.  CON-E  is  true  because 
no  relevant  changes  are  made.  CON-F  is  true  by  Claim  14. 

iv)  TT  is  RecciveChangeRoot((q,p)).  Let  /  =  fragment{p). 

Case  1:  p  ^  minnode{f)  in  .s'. 

(3c)  A6(s',7r)  is  empty.  Below  we  show  that  rootchanged(  f)  is  the  same  in  s' 
and  s,  which  implies  that  5t;(s)  =  »S’s(s'). 

Claim,s  about  s' : 

1.  A  CHANGEROOT  message  is  in  cqueue{{q,p)).,  by  precondition. 
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2.  (/>,  4)  £  subtree(  f),  by  Claim  1  and  CON-C. 

3.  rootchanged{f)  =  false,  by  Claims  1  and  2  and  CON- A. 
Claims  about  s: 

4.  rootchanged{f)  =  false,  by  Claim  1  and  code. 

Claims  2  and  4  give  the  result. 


(3a)  Let  {p,r)  =  tominlink{p). 

More  claims  about  s'; 

5.  awake  =  true,  by  Claim  1  and  CON-A. 

6.  minlink{f)  nil,  by  Claims  1  and  2  and  CON-C. 

7.  minnode(f)  G  subtree{p),  by  Claims  1  and  2  and  CON-C. 

8.  There  is  exactly  one  changeroot  message  in  subtTee{f),  by  Claims  2,  3  and  6 
and  CON-B. 

9.  r  is  a  child  of  p  and  minnode{f)  6  subtree(r),  by  definition  of  tominlink{p). 
More  claims  about  s: 

10.  awake  =  true,  by  Claim  5. 

11.  There  is  exactly  one  CHANGEROOT  message  in  subtree{f),  by  Claim  8  and  code. 

12.  r  is  a  child  of  p,  by  Claim  9. 

13.  minlink{f)  7^  nil,  by  Claim  6. 

14.  (p,  r)  ^  co'^e{f),  by  Claim  9. 

15.  minnode{f)  G  subtree{r),  by  Claims  7  and  9. 

CON-A  is  true  by  Claim  10.  CON-B  is  true  by  Claim  11  and  assumption  for 
Case  1.  CON-C  is  true  by  Claims  4, 12, 13,  14  and  15.  CON-D,  CON-E  and  CON-F 
are  true  because  no  relevant  changes  are  made. 

Case  2:  p  =  minnode{f)  in  s'. 

(3b)  ^6(s',7r)  =  Chang tRoot{f). 

Claims  about  s'  : 

1.  A  CHANGEROOT  message  is  in  cqueue([q,p)),  by  precondition. 
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2.  p  =  minnode{f),  by  assumption. 

3.  awake  =  true,  by  Claim  1  and  CON-A. 

4.  minlink{f)  ^  nil,  by  Claim  1  and  CON-C. 

6.  rootchanged{f)  =  false,  by  Claim  1  and  CON-C. 

6.  minlink{f)  is  an  external  link  of  /,  by  Claim  4  and  COM-A. 

By  Claims  3,  4  and  5,  ChangeRoot(f)  is  enabled  in  Ssis'). 

Claims  about  s: 

7.  A  CONNECT  message  is  in  cqueue{minlink{f)),  by  code. 

8.  minlink{f)  is  an  external  link  of  /,  by  Claim  6. 

9.  rootchanged(f)  =  true,  by  Claims  7  and  8. 

By  Claim  9,  the  effects  of  ChangeRooi(f)  are  mirrored  in  <S6(s). 

So  56(s')  ChangeRoot{f)  <S6(s)  is  an  execution  fragment  of  COM. 


(3a)  More  claims  about  s'  : 

10.  p  is  a  child  of  q,  by  Claim  1  and  CON-C. 

11.  Exactly  one  changeroot  message  is  in  subtree{f),  by  Claims  5,  4,  10  and 
CON-B. 

12.  No  CONNECT  message  is  in  any  cqueue{k),  where  A:  is  an  external  link  of  /,  by 
Claim  5. 

13.  No  CONNECT  message  is  in  any  cqueue{k),  where  fc  is  an  internal  link  of  /,  by 
Claim  4  and  CON-F. 

More  claims  about  s: 

14.  awake  =  true,  by  Claim  3. 

15.  No  CHANGEROOT  message  is  in  subtree(f)',  by  Claims  1,  10  and  11  and  code. 

16.  No  CONNECT  message  is  in  any  cqueue{k),  where  k  is  an  internal  link  of  /,  by 
Claim  13. 

CON-A  is  true  by  Claim  14.  CON-B  is  true  by  Claim  9.  CON-C  is  true  by 
Claim  15.  CON-D  is  true  by  Claims  7,  8,  12  and  code.  CON-E  is  true  because  no 
relevant  changes  are  made.  CON-F  is  true  by  Claim  16. 


v)  TT  is  ChangeRoot(f). 
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(3b)  Aeis'^Tr)  =  n. 

Claims  about  s' : 

1.  awake  =  true,  by  precondition. 

2.  rootchanged{f)  =  false,  by  precondition. 

3.  subtree{f)  =  {p},  by  precondition. 

4.  minlink{f)  ^  nz7,  by  Claim  3  and  COM-E. 

5.  minlink(f)  is  an  external  link  of  /,  by  Claim  4  and  COM-A. 

Claims  1,  2  and  4  imply  that  tt  is  enabled  in  5g(s'). 

Claims  about  s: 

6.  minlink(f)  is  an  external  link  of  /,  by  Claim  5. 

7.  A  CONNECT  message  is  in  cqueue{minlink{f)),  by  code. 

8.  rootchanged(f)  =  true,  by  Claims  6  and  7. 

Claim  8  implies  that  the  effects  of  tt  are  mirrored  in  S^is). 
So  S6(s')nS6(s)  is  an  execution  fragment  of  COM. 


(3a)  More  claims  about  s' : 

9.  No  CHANGEROOT  message  is  in  cqucuc{{q,p)),  for  any  q,  by  Claim  3  and  CON-C. 

10.  No  CONNECT  message  is  in  any  cqueue(k),  where  k  is  an  external  link  of  /,  by 
Claim  2. 

11.  No  CONNECT  message  is  in  any  cqueue{k).,  where  k  is  an  internal  link  of  /,  by 
Claim  3. 

More  claims  about  s: 

12.  awake  =  true,  by  Claim  1  and  code. 

13.  No  CHANGEROOT  message  is  in  cqueue({q,p)),  for  any  q,  by  Claim  9. 

14.  No  CONNECT  message  is  in  any  cqueue{n),  where  n  is  an  internal  link  of  /,  by 
Claim  11. 

CON- A  is  true  by  Claim  12.  CON-B  is  true  by  Claim  8.  CON-C  is  ti’ue  by 
Claim  13.  CON-D  i.s  true  by  Claims  G,  7  and  10  and  code.  CON-E  is  true  because 
no  relevant  changes  are  made.  CON-F  is  true,  by  Claims  C  and  14. 


vi)  TT  is  Merge(f,g). 
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(3b)  =  tt. 

Claims  about  s' : 

1.  A  connect(/)  message  is  in  cqueue{{p,q)),  by  precondition. 

2.  (p,  q)  is  an  external  link  of  /,  by  precondition. 

3.  A  connect(/)  message  is  in  cqueue{{q,p)),  by  precondition. 

4.  (q.p)  is  an  external  link  of  </,  by  precondition, 
b-  f  ^  (J-,  by  Claims  2  and  4. 

6.  rooichanged{f)  =  true,  by  Claims  1  and  2. 

7.  rooichanged(g)  =  true,  by  Claims  3  and  4. 

8.  (p,  q)  =  minUnk{f)^  by  Claims  1  and  2  and  CON-D. 

9-  {9jP)  =  minlink(g),  by  Claims  3  and  4  and  CON-D. 

10.  minedge{f)  =  minedge{g),  by  Claims  8  and  9. 

11.  If  k  ^  minlink{f)  is  an  external  link  <  f  /,  then  no  connect  message  is  in 
cqueu€{k),  by  CON-D. 

12.  If  k  minlink(g)  is  an  external  link  of  g,  then  no  connect  message  is  in 
cqueue(k),  by  CON-D. 

By  Claims  5,  6,  7  and  10,  tt  is  enabled  in  56 (s').  By  Claims  11  and  12  and 
definition  of  h,  rootchanged{h)  =  false  in  s,  so  the  effects  of  tt  are  mirrored  in  56(s). 
Thus,  56(s')7r56(s)  is  an  execution  fragment  of  COM. 


(3a)  More  claims  about  s'  : 

13.  awake  =  true,  by  Claim  1  and  COM-A. 

14.  No  changeroot  message  is  in  subtree{f),  by  Claim  6  and  CON-C. 

15.  No  changeroot  message  is  in  subtree{g),  by  Claim  7  and  CON-C. 

16.  No  connect  message  is  in  cqueue(k),  for  any  internal  link  k  of  /,  by  Claim  8 
and  CON-F. 

17.  No  connect  message  is  in  cqueue(k),  for  any  internal  link  k  of  q,  by  Claim  9 
and  CON-F. 

18.  Exactly  one  connect  message  is  in  cqueue((p,  q)),  by  Claims  1  and  2  and 
CON-D. 

19.  Exactly  one  connect  message  is  in  cqiieite((q,p) ),  by  Claims  3  and  4  and 
CON-D. 

20.  I  =  level{f),  by  Claims  1  and  2  and  CON-D. 

Claims  about  s: 
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21.  awake.  =  true,  by  Claim  13  and  code. 

22.  minlink{h)  =  nil,  by  code. 

23.  No  CHANGEROOT  message  is  in  subtree(h),  by  Claims  14  and  15  and  code. 

24.  No  CONNECT  message  is  in  cqueue{k),  for  any  external  link  k  of  h,  by  Claims 
11  and  12  and  code. 

25.  Exactly  one  connect  message  is  in  cqueue{{p,  q))  and  (p,  q)  =  core{h),  by  Claim 
18  and  code. 

26.  I  <  level(h),  by  Claim  20  and  code. 

27.  No  connect  message  is  in  cqueue({q,p)),  by  Clmm  19  and  code. 

28.  No  connect  message  is  in  any  non-core  internal  link  of  h,  by  Claims  16  and 
17  and  code. 

CON-A  is  true  by  Claim  21.  CON-B  is  true  by  Claim  22.  CON-C  is  true  by 
Claim  23.  CON-D  is  true  by  Claim  24.  CON-E  is  true  by  Claims  25,  26,  27  and 
28.  CON-F  is  true  by  Claim  22. 

vii)  n  is  AfterMerge(p,q).  Ae{s',Tr)  is  empty.  Obviously,  S^{s)  =  Seis'), 
and  PcoN  is  true  in  s. 

viii)  TT  is  Absorb(f,g). 

(3b)  A6(s',7r)  =  TT. 

Claims  about  s': 

i--  {<liP)  =  minlink(g),  by  assumption. 

2.  A  connect(/)  message  is  in  cqueue{minlink{g)),  by  precondition. 

3.  I  <  level{f),  by  precondition. 

4.  /  =  fragment(p),  by  precondition. 

5.  niinlink{g)  is  an  external  link  of  g,  by  Claim  1  and  COM-A. 

6.  rootchanged{g)  =  true,  by  Claims  2  and  5. 

7.  I  =  leveling),  by  Claim  2  and  CON-D. 

8.  level{g)  <  level{f),  by  Claims  7  and  3. 

9.  If  a  CONNECT  message  is  in  cqueue{{p,q)),  then  {p,q)  =  minlink{f),  by  Claims  4 
and  5  and  CON-D. 

10.  If  a  CONNECT  message  is  in  cqueue{{p,q)),  then  level{f)  <  level{g),  by  Claim  9 
and  COM-A. 

11.  No  CONNECT  message  is  in  cqueue{{p,q)),  by  Claims  8  and  10. 

12.  No  CONNECT  message  is  in  cque.ue{k),  for  any  external  link  k  ^  minlink{g)  of  g, 
by  CON-D. 


a 

$8 


w 

Wv 

IVtV 

'IjH 

is 


p. 

k 


c, 

■tv 
‘■y" 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 


By  Cleiims  6,  8,  4  and  1,  tt  is  enabled  in  Seis').  By  Claims  11  and  12, 
rootchanged(f)  remains  unchanged,  and  the  effects  of  tt  are  mirrored  in  Seis).  Thus, 
Se(s*)TrSe(s)  is  an  execution  fragment  of  COM. 


(3a)  More  claims  about  s': 

13.  awake  =  true,  by  Claim  2  and  CON-A. 

14.  f  >  0,  by  COM-F. 

15.  level{f)  >  0,  by  Claims  7,  8  and  14. 

16.  \nodes{f)\  >  1,  by  Claim  15  and  COM-F. 

17.  No  CHANGEROOT  message  is  in  subtree{g),  by  Claim  6  and  CON-C. 

18.  No  CONNECT  message  is  in  cqueue{k),  where  k  is  an  internal  link  of  g,  by  Claim 
1  and  CON-F. 

Claim  about  s: 

19.  awake  =  true,  by  Claim  12  and  code. 

CON-A  is  true  by  Claim  19.  CON-B  is  true  since  by  Claims  16  and  17  no 
relevant  cheinges  are  made.  CON-C  is  true  since  by  Claim  11,  12  and  17  no  relevant 
changes  are  made.  CON-D  is  true  since  by  Claim  12  no  relevant  changes  axe  made. 
CON-E  is  true  since  by  Claims  11  and  18  no  relevant  changes  are  made.  CON-F  is 
true  by  Claim  18  and  code.  □ 

Let  P'coN  —  i^COM  °  *^6)  A  P CON- 

Corollary  24;  Pqqn  every  reachable  state  of  CON. 

Proof;  By  Lemmas  1  and  23.  □ 

4.2.7  GHS  Simultaneously  Simulates  TAR,  DC,  NOT  and  CON 

This  automaton  is  a  fully  distributed  version  of  the  original  algorithm  of  [GHS]. 
(We  have  made  some  slight  changes,  which  axe  discussed  below.)  The  functions  of 
TAR,  DC,  NOT  and  CON  are  united  into  one.  All  variables  that  are  derived  in 
one  of  these  automata  are  also  derived  (in  the  same  way)  in  GHS.  In  addition, 
there  are  the  following  derived  variables.  The  variable  dcstatus{p)  of  DC  is  refined 
by  the  variable  nstatus{p),  and  has  values  sleeping,  find,  and  found;  initially,  it  is 
sleeping.  The  awake  variable  is  now  derived,  and  is  true  if  and  only  if  at  least  one 
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node  is  not  sleeping.  The  fragments  are  also  derived,  as  follows.  A  subgraph  of  G  is 
defined  to  have  node  set  V{G)  aird  edge  set  equal  to  all  edges  of  G,  at  least  one  of 
whose  links  is  classified  as  branch  and  has  no  connect  message  in  it.  A  fragment  is 
associated  with  each  connected  component  of  this  graph.  Also,  iestset(f)  is  defined 
to  be  all  nodes  p  such  that  either  testlink{p)  ^  nil,  or  a  FIND  message  is  headed 
toward  p  (or  will  be  soon). 

The  bulk  of  the  arguing  done  at  this  stage  is  showing  that  the  derived  variables 
{subtree,  level,  core,  minlink,  testset,  rootchanged)  have  the  proper  values  in  the 
state  mappings.  In  addition,  a  substantial  argument  is  needed  to  show  that  the 
implementation  of  level  and  core  by  local  variables  interacts  correctly  with  the 
test-accept-reject  protocol.  (See  in  particidar  the  definition  of  the  TAR  action 
mapping  for  ReceiveTesi,  and  the  case  for  ReceivcTest  in  Lemma  25.)  It  would  be 
ideal  to  do  this  argument  in  NOT,  where  the  rest  of  the  argument  that  core  and 
level  are  implemented  correctly  is  done,  but  reorganizing  the  lattice  to  allow  this 
consolidation  caused  graver  violations  of  modularity. 

The  messages  sent  in  this  automaton  are  all  those  sent  in  TAR,  DC,  NOT 
and  CON,  except  that  notify  messages  are  replaced  by  initiate  messages,  which 
have  a  parameter  that  is  either  find  or  found,  and  find  messages  are  replaced  by 
INITIATE  messages  with  the  parameter  equal  to  find. 

Some  minor  changes  were  made  to  the  algorithm  as  presented  in  [GHS].  First, 
our  version  initializes  all  variables  to  convenient  values.  (This  change  makes  it 
easier  to  state  the  predicates.)  Second,  provision  is  made  for  the  output  actions 
InTree{l)  and  NotJnTree{l).  Third,  when  node  p  receives  an  initiate  message, 
variables  inbranch{p),  bestlink{p)  and  bestwt{p)  are  only  changed  if  the  parameter 
of  the  INITIATE  message  is  find.  This  change  does  not  affect  the  performance  or 
correctness  of  the  algorithm.  The  values  of  these  variables  will  not  be  relevant  until 
p  subsequently  receives  an  iNiTiATE-find  message,  yet  the  receipt  of  this  message 
will  cause  these  variables  to  be  reset.  The  advantage  of  the  change  is  that  it  greatly 
simplifies  the  state  mapping  from  GHS  to  DC. 

Our  version  of  the  algorithm  is  slightly  more  general  than  that  in  [GHS].  There, 
each  node  p  has  a  single  queue  for  incoming  messages,  whereas  in  our  description, 
p  has  a  separate  queue  of  incoming  messages  for  each  of  its  neighbors.  A  node  p 
in  our  algorithm  could  hap])en  to  process  messages  in  the  order,  taken  over  all  the 
neighbors,  in  which  they  arrive  (modido  the  requeueing),  which  would  be  consistent 
with  the  original  algorithm.  But  p  could  also  handle  the  messages  in  some  other 
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order  (although,  of  course,  still  in  order  for  each  individual  link).  Thus,  the  set  of 
executions  of  our  version  is  a  proper  superset  of  the  set  of  executions  of  the  original. 

A  small  optimization  to  the  original  algorithm  was  also  found.  (It  does  not 
affect  the  worst-case  performance.)  When  a  CONNECT  message  is  received  by  p 
under  circumstances  that  cause  fragment  g  to  be  absorbed  into  fragment  /,  an 
INITIATE  message  with  parameter  find  is  only  sent  if  iestlink{p)  7^  nil  in  our  version, 
instead  of  whenever  nsiatus(p)  =  find  as  in  the  original.  As  a  result  of  this  change, 
if  nstatus{p)  =  find  and  testlink{p)  =  nil,  p  need  not  wait  for  the  entire  (former) 
fragment  g  to  find  its  new  minimum-weight  external  link  before  p  can  report  to 
its  parent,  since  this  link  can  only  have  a  larger  weight  than  the  minimum-weight 
external  link  of  p  already  found. 

The  automaton  GHS  is  the  result  of  composing  an  automaton  Node{p),  for  all 
p  G  1^(G),  and  Link{l),  for  all  I  €  L(G),  and  then  hiding  actions  appropriately  to 
fit  the  MST(G)  problem  specification. 

First  we  describe  the  automaton  Node{p),  for  p  £  V{G).  The  state  has  the 
following  components: 

•  nstatus{p),  either  sleeping,  find,  or  found; 

•  nfrag{p),  an  edge  of  G  or  nil] 

•  nle.vel(p),  a  nonnegative  integer; 

•  bestlink^p),  a  link  of  G  or  nil] 

•  bestwt(p),  a  weight  or  00; 

•  testlink{p),  a  link  of  G  or  nil] 

•  inbranch(p),  a  link  of  G  or  nil]  and 

•  findcount{p),  a  nonnegative  integer. 

For  each  link  {p,q)  G  Lp{G),  there  are  the  following  variables: 

•  lstatus{{p,q)),  either  unknown,  branch  or  rejected; 


•  queuep{{p,q)),  a  FIFO  queue  of  messages  from  p  to  q  waiting  at  p  to  be  sent; 
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•  queuep{{q,p)),  a  FIFO  queue  of  messages  from  q  to  p  waiting  at  p  to  be  pro¬ 
cessed;  and 


•  answered{{p,q)),  aBooledoi. 

The  set  of  possible  messages  M  is  {connect(/)  :  /  >  0}  U  {initiate(/,  c,  st)  : 
/  >  0,c  6  E(G),st  is  find  or  found}  U  {test(1,c)  ;  /  >  0,c  6  E{G)}  U  {REPORT(ri;)  : 
10  is  a  weight  or  oo)  U  {accept,  REJECT, changeroot}. 

In  the  start  state  of  Node{p),  nstatus^p)  =  sleeping,  nfrag{p)  =  nil,  nlevel{p)  — 
0,  bestlink{p)  is  arbitrary,  bestwt(p)  is  arbitrary,  tesilinl^p)  =  nil,  inbranch{p)  is 
arbitrary,  findcount(p)  =  0,  htatus{l)  =  unknown  for  all  I  €  Lp{G),  answered{l)  = 
false  for  all  I  E  Lp{G),  and  both  queues  are  empty. 

Now  we  describe  the  actions  of  Node{p). 

Input  actions: 

•  Startup) 

Effects: 

if  nsiatus{p)  =  sleeping  then  execute  procedure  Wake  Up{p) 

•  ChannelRecv{l) ,  I  E  Lp{G),  m  E  M 

Effects: 

enqueue(m,  queuep{l)) 

Output  actions: 

•  InTree{l),  I  E  Lp{G) 

Preconditions: 

answered{l)  =  false 
lstatus{l)  =  branch 
Effects: 

answeTed{l)  :=  true 

•  NotInTree{l),  I  E  Lp{G) 

Preconditions: 

answeredO  —  false 
lstatu3{l)  =  rejected 
Effects: 

an3weTcd{l)  true 
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•  Channels  end{l,m),  I  G  Lp{G),  M 

Preconditions: 

m  at  head  of  queuep{l) 

Effects: 

dequeue(  queue  ^{l)) 

Internal  actions: 

•  ReceiveConnect{{q,p) ,1),  {p,q)  €  Lp{G) 

Preconditions: 

C0NNECT(/)  at  head  of  queuep{{q,p)) 

Effects: 

dequeue(  queue  ^{{q,  p))) 

if  nstatus{p)  =  sleeping  then  execute  procedure  Wake  Up{p) 
if  I  <  nlevel{p)  then  [ 
lstatus{{p,q))  :=  branch 
if  testlink{p)  ^  nil,  then  [ 

enqueue(lNlTlATE(n/et)e/(p),  nfrag{p), find),  queue^Kp,  q))) 
findcouni{p)  :=  findcount{p)  +  1  ] 
else  enqnene{imTlATE{nlevel{p),nfrag{p),{ound),queuep{{p,q)))  ] 
else 

if  lstatus{{p,  q))  =  unknown  then  enqueue(cONNECT(f),  queue p{{q,p))) 
else  enqueue(lNlTlATE(nlei;e/{p)  +  l,{p,q),  find),  queue ^({p,  q))) 

•  Receivelnitiate{{q,p),l,c,st),  {p,q)  €  Lp{G) 

Preconditions: 

INITIATE(/,  c,  st)  at  head  of  queuep{{q,p)) 

Effects: 

dequeue(queue  p({q,  p))) 
nlevel{p)  :=  I 
nfragip)  :=  c 
nstatus{p)  :=  st 

—  let  S  =  {{p,r)  :  lstatus{{p,r))  —  branch,  r  q]  — 
enqueue(lNlTIATE{/,  c,st),  gweuep( A:))  for  all  fc  G  5 
if  st  —  find  then  [ 
inbranch{p)  :=  {p,q) 
bestlink(p)  :=  nil 
bestwtip)  :=  oo 
execute  procedure  Tcst{p) 
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findcount{p)  :=  |5|  ] 

•  Receive Test{{q,p),  I, c),  {p,q)  €  Lp(G) 

Preconditions: 

TEST(/,  c)  at  head  of  queuep{{q,p)) 

Effects; 

deq\ieue(  queue  p{{q,p))) 

if  nstatus{p)  =  sleeping  then  execute  procedure  Wake  Up{p) 
if  I  >  nlevel(p)  then  enqueue(TEST('/,c),  queue p{{q,p))) 
else 

if  c  ^  nfrag(p)  then  cnqueue( ACCEPT,  queue p[{p,q))) 
else  [ 

if  lsi(itw{{p,q))  unknown  then  lstatus{{p,q))  :=  rejected 
if  testlink{p)  ^  {p,q)  then  enqueuef  REJECT,  gueuep((p,  5))) 
else  execute  procedure  Tc»t(p)  j 

•  ReceiveAccept({q,p)),  {p,q)  G  Lp{G) 

Preconditions: 

ACCEPT  at  head  of  queuep{{q,p)) 

Effects: 

dequeue(  queue  p{  {q,p))) 
testlink{p)  :=  nil 
if  wt{p,q)  <  bestwi{p)  then  [ 
besilink{p)  :=  {p,q) 
besiwt{p)  wt{p,q)  ] 


execute  procedure  Repori{p) 


•  ReceiveReject{{q,  p)),  {p,q)  G  Lp{G) 

Preconditions: 

REJECT  at  head  of  queuep{{q,p)) 

Effects: 

dequeue(  queue p{  {q,  p))) 

if  hiatus{{p,q))  —  unknown  then  lstatus[{^p,q))  :=  rejected 
execute  procedure  Test{p) 


•  ReceiveReport{{q,p),w),  {p,q)  G  Lp{G) 
Preconditions; 

REPORT(te)  at  head  of  queuep{{q,p)) 
Effects: 

dcqueue{queuep{{q,p))) 


119 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 


if  (p,  q)  ^  inbranch(p)  then  [ 
findcount(p)  :=  findcount(p)  —  1 
if  te  <  bestwt(p)  then  [ 
bestwi{p)  :=  w 
be3ilink(p)  :=  (p,  q)  ] 
execute  procedure  Report(p)  ] 
else 

if  nstatus{p)  =  find  then  en'»tiette(REPORT(u '  queue ^{{q,p))) 
else  if  zi;  >  bestwt{p)  then  execute  procedure  ChangeRoot[p) 

•  ReceiveChangeRoot{{q,p)),  {p,q)  G  Lp(G) 

Preconditions: 

CHANGEROOT  at  head  of  queuep{{q,p)) 

Effects; 

dequeue( queue p((q,  p))) 
execute  procedure  ChangeRooi(p) 


Procedures 

•  WakeUp(p) 

—  let  (p,  q)  be  the  minimum-weight  link  of  p  — 
lstatus({p,q))  :=  branch 
nstatus{p)  :=  fozmd 
enqueue(coNNECT(0),  queuep({p,  q))) 

•  Te3t{p) 

if  /,  the  minimum- weight  link  of  p  with  Istatus(l)  =  unknown,  exists  then  [ 
iestlink{p)  :=  / 

enqueue(TEST(n/e'uel(p),  nfrag(p)),  queue p{l))  ] 
else  [ 

testlink{p)  nil 

execute  procedure  Report(p)  ] 

•  Report{p) 

if  findcount(p)  =  0  and  tesilink{p)  =  nil  then  { 
nstatus{p)  :=  found 

enqueue(REPORT( 0e5<wt(p)),  queue p{inbranch{p)))  ] 

•  ChangeRooi{p) 

if  lstaius{bestlink{p))  —  branch  then 
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enqueue(cHANGEROOT,  queue p{bestlink{p))) 
else  [ 

enqueue(coNNECT( nlevel(p)),  queue p{ bestlink{p) )) 
l3tatus{hestlink{p))  :=  branch  ] 


Now  we  describe  the  automaton  Link{(p,q)),  for  each  {p,  q)  E  T(G). 

The  state  consists  of  the  single  variable  queuepq{{p,q)),  a  FIFO  queue  of  mes¬ 
sages.  The  set  of  messages,  M,  is  the  same  as  for  Node(p).  The  queue  is  empty  in 
the  start  state. 

Input  Actions; 

•  ChcnnelSend{{p,q),m),  m  E  M 

Effects: 

enqueue(m,  queue pq{{p,q))) 

Output  Actions: 

•  ChannelRecv((p,q},  m),  m  E  M 

Preconditions; 

m  at  head  of  queuepq{{p,  q)) 

Effects: 

dequeue(gueuep^((p,g))) 


Now  we  can  define  the  automaton  that  models  the  entire  network.  Define 
the  automaton  GHS  to  be  the  result  of  composing  the  automata  Node{p),  for  all 
p  E  V{G),  and  Link{l),  for  all  I  E  L{G),  and  then  hiding  all  actions  except  for 
Start{p),  p  E  V(G),  InTree(l)  and  NotInTree{l),  I  E  L{G). 

Given  a  FIFO  queue  q  and  a  set  M ,  define  q\M  to  be  the  FIFO  queue  obtained 
from  q  by  deleting  all  elements  of  q  that  are  not  in  M. 

Derived  Variables: 

•  queueiip.q))  is  queuep({p,q))  ||  queuepq{{p,q))  ||  queueq{{p,q)). 

•  tar  queue  p({p,q))  is  queuep{{p,q))\MrAR,  where  Mtar  is  the  set  of  all  pos¬ 
sible  messages  in  TAR',  similarly  for  tarqueuepq{{p,  q))  and  tarqueueq{{p,q)). 
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Similar  definitions  are  made  for  the  dequeue's,  nqueue's,  and  cqueue's,  except 
that  for  the  dequeue's,  each  initiate! /,c,find)  message  is  replaced  with  a  find 
message,  and  for  the  nqueue's,  each  initiate!/,  e,  *)  me.ssage  is  replaced  wifh  a 
notify!/,  c)  message. 

•  awake  is  false  if  and  only  if  nstatus{p)  =  sleeping  for  all  p  £  V{G). 

•  For  all  p  €  F(G),  dcstatus(p)  =  unfind  if  nstatus(p)  =  .sleeping  or  found,  and 
dcstatu3{p)  —  find  if  nstatus{p)  =  find. 

•  MSF  is  the  subgraph  of  G  whose  nodes  are  y!G),  and  whose  edges  are  all 
edges  {p,q)  of  G  such  that  either  (1)  lstatus{{p,q))  =  branch  and  no  connect 
message  is  in  queue{{p,  q)),  or  (2)  lstaius({q,p))  =  branch  and  no  CONNECT 
message  is  in  queue{{p,q)). 

•  fragments  is  a  set  of  elements,  called  fragments,  one  for  each  connected  com¬ 
ponent  of  MSF. 

Each  fragment  f  has  the  following  components; 

•  subtree{f),  the  corresponding  connected  component  of  MSF; 

•  level{f),  defined  as  in  NOT; 

•  eore{f),  defined  as  in  NOT; 

•  testset(f),  the  set  of  all  p  G  nodes{f)  such  that  one  of  the  following  is  true: 
(1)  a  FIND  message  is  headed  toward  p,  (2)  testlmk(p)  ^  nil,  or  !3)  a  CONNECT 
message  is  in  queue{(q,r)),  where  {q,r)  =  core{f)  and  p  G  subtree{q); 

•  minlink{f),  defined  as  in  DC; 

•  rootchanged{f),  defined  as  in  CON;  and 

•  accmin{f  ),  defined  as  in  TAR  and  DC. 

Define  the  following  predicates  on  state.s{GHS).  !A11  free  variables  are  univer¬ 
sally  quantified.) 

•  GHS-A;  If  nstatus{p)  —  sleeping,  then 

!a)  there  is  a  fragment  /  such  that  subiree(f)  =  {p}, 

!b)  queue({p,q))  is  empty  for  all  q,  and 
!c)  btatus{{p,  q))  —  unknown  for  all  q. 


I'!:* 


JriJ 

v;!. 


I'l'l* 

w 

m 

i 

if 

I 


I 

I 


sh 

s;; 


“  i  ^  \  ^  '  *L 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 

•  GHS-B:  If  connect(/)  is  in  queue({q,p)),  lsiatus{{p,  q))  ^  unknown,  and  no 
CONNECT  is  in  queue({p,q)),  then 

(a)  the  state  of  queue{{q,p))  is  connect(/)  followed  by  initiate(/  +  l,{p,q), 
find); 

(b)  queue({p,q))  is  empty; 

(c)  n3tatus{q)  ^  find;  and 

(d)  nlevel{p)  =  nlevel{q)  =  1. 

•  GHS-C:  If  a  CONNECT  message  is  in  queue{l),  then  no  find  message  precedes 
the  CONNECT  in  queue{l),  and  no  TEST  or  reject  message  is  in  queue(l). 

m  GHS-D:  If  lNlTlATE(/,c,find)  is  in  subtree(f),  then  I  =  level(f). 

•  GHS-E;  If  imTlATE(l,c,st)  is  in  queue({p,q))  and  {p,q)  =  core(fragment(p)), 
then  st  =  find. 

•  GHS-F:  If  test(/,c)  is  in  queue({q,p)),  then  nlevel(q)  >  1. 

•  GHS-G:  If  ACCEPT  is  in  queue{{q,p)),  then  nlevel{p)  <  nlevel{q). 

•  GHS-H;  If  tesilink(p)  ^  nil,  then  nstatus{p)  =  find. 

•  GHS-I;  If  p  is  up-to-date,  then  nlevel{p)  =  level{fragment{p)). 

•  S-.J;  If  p  is  up-to-date,  p  ^  tests €t{fragment(p)),  and  {p,  q)  is  the  minimum- 
iv eight  ’X'ternal  link  of  p,  then  nlevel{p)  <  nlevel(q). 

•  GHS-K:  If  subtree{f)  =  {p}  and  nstatus{p)  ^  sleeping,  then  rootchanged{f)  = 
true. 

Let  Pans  be  the  conjunction  of  GHS-A  through  GHS-K. 

We  now  define  Af  j  =  an  abstraction  mapping  from  GHS  to  x,  for 

X  =  TAR,  DC,  NOT  and  CON .  Si  should  be  obvious  for  all  x,  given  the  above 
derived  functions.  We  now  define  Az{s,tc)  for  all  x,  states  s  of  GHS,  and  actions 
TT  of  GHS  enabled  in  s. 

•  TT  =  InTree{l)  or  NotInTree(l).  .4j-(s,7r)  =  tt  for  all  x. 

•  tt  =  Start{p).  Let  /  =  fragm,ent(p). 

Case  1:  nstatus{p)  =  sleeping  in  .s.  For  all  x,  =  Siart{p)  G 

ChangeRoot{f),  where  G  is  the  same  as  5j(.s)  except  that  awake  =  true  in  ti. 


123 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 
Case  2:  nstatus{p)  ^  sleeping  in  s.  ^i(-s,'7r)  =  tt  for  all  r. 

•  TT  =  ChannelRecv(k,m).  For  all  x,  Ai;(s,7r)  is  empty,  with  the  following  ex¬ 
ceptions:  If  m  =  connect(0  or  changeroot,  then  AcoN{s,7r)  —  n.  If 
m  =  initiate(/,c,  s<),  then  Anot{^,'’^)  =  ChannelRecv{k,  notify  (I,  c)),  and  if 
st  =  find,  then  ADc(^^‘^)  =  ChannelRecv(k,  find).  If  m  =  test,  accept  or 
REJECT,  then  ATAR{s,n)  =  tt.  If  m  =  report(zi;),  then  ADc{s,n)  =  n. 

•  TT  =  Channels end(k,m).  Analogous  to  ChannelRecv{k,m). 

•  TT  =  ReceiveConnect({q,p),l).  Let  /  =  fragment{p)  and  g  =  fragment{q). 
(Later  we  will  show  that  the  following  four  cases  are  exhaustive.) 

Case  1:  nstatus(p)  =  sleeping  in  s.  If  {p,q)  is  not  the  minimum-weight  ex¬ 
ternal  link  of  p  in  s,  then  Az{s,t:)  —  ChangeRoot(f)  for  all  x.  If  {p,q)  is  the 
minimum-weight  external  link  of  p  in  s,  then,  for  all  x,  tt)  =  ChangeRoot{f) 

t-z  Merge{f,  g),  where  is  the  state  of  x  resulting  from  applying  ChangeRoot(f)  to 
Sz(s). 


Case  2:  nstatus(p)  ^  sleeping,  I  =  nlevel{p),  and  no  CONNECT  message  is  in 
queue{{p,  q))  in  s.  If  lstatus{{p,q))  =  unknown  in  s,  then  >li(s,7r)  is  empty  for  all 
X.  If  lstatus{{p,q))  ^  unknown  in  s,  then  ^TAR(5)7r)  is  empty,  and  Azis,^)  = 
AfterMerge{p,q)  for  all  other  x. 

Case  S:  nstatus{p)  ^  sleeping,  I  =  nlevel{p),  and  a  connect  message  is  in 
queue{{p,q))  in  s.  >lx(s,7r)  =  Merge{f,g)  for  all  x. 

Case  4-  nstatus{p)  ^  sleeping,  and  I  <  nlevel{p)  in  s.  Az{s,tt)  —  Absorb{f,g) 
for  all  X. 

•  TT  =  Receivelnitiate{{q,p),l,c.  st). 

AtarI^,  =  SendTest(p)  if  st  =  find,  and  is  empty  otherwise. 

If  st  ^  find,  then  ADc{s,n)  is  empty;  if  st  =  find  and  there  is  a  link  (p.r) 
such  that  lstatus{{p,r))  =  unknown  in  s,  then  ADcis,n)  =  ReceiveFind{{q, p));  if 
st  =  find  and  there  is  no  link  (p, r)  such  that  btatus{{p,r))  —  unknown  in  s,  then 
Aocis,  tt)  =  ReceiveFind{{q,  ]}))  t  TestNode{p).  where  t  is  the  state  of  DC  resulting 
from  applying  ReceiveFind{ {q, p))  to  Sdc{s). 


7'’)  =  ReceiveNotify((q,p),l.c). 
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Acon{6,t^)  is  empty. 


•  TT  =  ReceiveTest{{q,p),l,c).  Let  /  =  fragment{p). 

Case  1:  nstatus(p)  =  sleeping  in  s. 

AxARi^^'’^)  =  ChangeRooi{f)  t  ir,  where  t  is  the  same  as  Star{^)  except  that 
rootchanged{f)  =  true  and  lsiaius{minlink{f))  =  branch  in  t. 

^i(s,7r)  =  ChangeRoot{f)  for  all  other  x. 

Case  2:  nstatus(p)  ^  sleeping  in  s. 

AxARi^''^)  =  tt  if  /  <  nlevel{p)  or  nlevel{p)  =  level{f)  in  s,  and  is  empty 
otherwise. 

ADcis,v)  =  TestNode{p)  if  I  <  nlevel(p),  c  =  nfrag{p),  testlink{p)  =  (p,?), 
and  lsiatus({p,r))  ^  unknown  for  all  r  ^  q,  in  s,  and  is  empty  otherwise. 

7r)  is  empty  for  all  other  x. 

•  TT  =  Receive  Accepi{{q,p)). 

Atar{s,t^)  =  TT. 

Aocisi'^)  —  TestNode{p). 

•^1(5,  tt)  is  empty  for  all  other  x. 

•  TT  =  ReceiveRejeci({q,p)). 

ATARis,n)  =  TT. 

=  TestNode{p)  if  there  is  no  r  ^  q  such  that  lstatus{{p,r))  =  un¬ 
known  in  s,  and  is  empty  otherwise. 

Ai{s,n)  is  empty  for  all  other  x. 

•  TT  =  ReceiveReport({q,p),w).  Let  /  =  fragment{p). 

Case  1:  {p,q)  =  core(f),  nstatus(p)  ^  find,  to  >  bestwt(p),  and  Istaius 
{bcstlinklp})  =  branch  in  .s. 

^Dc(^S7r)  =  TT. 

125 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 
>ti(s,7r)  =  ComputeMin{f)  for  all  other  x. 


Case  &:  (p,q)  =  core(f),  nstatus{p)  ^  find,  w  >  bestwt(p),  and  hiatus 
(bestlink(p))  ^  branch  in  s. 

Adc{s,tt)  =  TT  tuc  Chang€Root(f),  where  toe  is  the  state  of  DC  resulting 
from  applying  tt  to  Sdc(^)- 

■4coiv(s,  tt)  =  CompuieMin(f). 

Axis,!:)  =  Compute  Mini  f)  tx  ChangeRooHif)  for  all  other  x,  where  tx  is  the 
state  of  X  resulting  from  applying  ComputeMinif)  to  Sxis). 

Case  S:  ip,q)  coreif)  or  nstatusip)  —  find  or  w  <  hestwtip)  in  s. 

Aocis,!:)  =  TT. 

tt)  is  empty  for  all  other  x. 

•  TT  =  ReceiveChangeRooi{iq,p)).  Let  /  =  fragmeniip). 

AcONis,  tt)  =  TT. 

For  all  other  x,  Axis,::)  =  ChangeRoot{f)  if  Istatusibestlinkip))  ^  branch  in 
s,  and  is  empty  otherwise. 

For  the  rest  of  this  chapter,  let  /  be  the  set  of  names  {TAR,  DC,  NOT,  CON). 
The  following  predicates  are  true  in  any  state  of  GHS  satisfying  t\i^ii^x  o  Sx)  A 
Pqhs-  be.,  they  are  derivable  from  Pghs,  together  with  the  TAR,  DC,  NOT,  CON. 
GC,  COM  and  HI  predicates. 

•  GHS-L;  If  AfterMergeip,q)  is  enabled  for  DC  or  NOT,  then  a  connect  mes¬ 
sage  is  at  the  head  of  queuei{q,p)). 

Proof:  First  we  show  the  predicate  for  DC.  Let  /  =  fragmentip). 
iP>q)  =  eore(/),  by  precondition 

2.  FIND  is  in  dcqueueiiq,p)),  by  precondition. 

3.  No  FIND  is  in  dcqueuei{p,q)),  by  precondition. 

4.  dcstatus(q)  =  unfind,  by  precondition. 

5.  No  REPORT  is  in  dcqueuei{q,p)),  by  precondition. 

6.  7  E  testset(f),  by  Claims  1  through  5  and  DC-G. 

7.  testlinkip)  =  by  Claim  4  and  GHS-H. 
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8.  A  CONNECT  is  in  queue{{q,p)),  by  Claims  1,  3,  6  and  7. 

9-  (Pi?)  ^  subtree{f),  by  Claim  1  and  COM-F. 

10.  No  initiate(*,*, found)  is  in  queue{{q,p)),  by  Claim  1  and  GHS-E. 

11.  No  CHANGEROOT  is  in  queue{{q,p)),  by  Claim  1. 

12.  No  ACCEPT  is  in  queue({q,p)),  by  Claim  9  and  TAR-F. 

13.  CONNECT  precedes  any  find,  test,  or  reject  in  queue({q,  p)),  by  Claim  GHS-C. 

Claims  5,  8,  10,  11,  12  and  13  give  the  result. 

For  NOT,  we  show  that  if  AfterMerge{p,q)  for  NOT  is  enabled,  then  After- 
Merge{p,  q)  for  DC  is  enabled. 

1-  (P)?)  =  core{f),  by  precondition. 

2.  NOTlFY(ra/eve/(p)  +  1,  (p,  q))  is  in  nqueue{{q,p)),  by  precondition. 

3.  No  NOTlFY(nleve!(p)  +  l,(p,q))  is  in  nqueue((p,  q}),  by  precondition. 

4.  nlevel(q)  nlevel{p)  +  1,  by  precondition. 

5.  lNiTlATE(n/et;eZ(p)  -f  l,(p,  g),find)  is  in  queue{{q,p)),  by  Claims  1  and  2  and 
GHS-E. 

6.  nlevel{p)  -f- 1  =  level(f),  by  Claim  5  and  GHS-D. 

7.  No  initiate(*,  *,find)  is  in  queue{{p,q)),  by  Claims  3  and  6  and  GHS-D. 

8.  q  is  not  up-to-date,  by  Claims  4  and  6  and  GHS-I. 

9.  dcstatus{q)  ^  find,  by  Claim  8  and  DC-I(a). 

10.  No  REPORT  is  in  queue{{q , p)) ,  by  Claims  1  and  8  and  DC-C(a). 

By  Claims  1,  5,  7,  9  and  10,  AfterMerge{p,q)  for  DC  is  enabled.  □ 

•  GHS-M:  If  testlink{p)  ^  nil  or  findcount{p)  >  0,  then  no  find  message  is 
headed  toward  p,  and  no  connect  message  is  in  queue{{q,r)),  where  {q,r)  = 
coTe{fragment{p))  and  p  G  subtree{q). 

Proo  f: 

1.  i.estlink{p)  ^  nil  or  findcount{p)  >  0,  by  assumption. 

2.  nsiaius{p)  =  find,  by  Claim  1  and  either  GHS-H  or  DC-H(b). 

3.  dcstatus{t)  —  find  for  all  t  between  q  and  p  inclusive,  by  Claim  2  and  DC-H(a). 

4.  No  find  message  is  headed  toward  p,  by  Claim  4  and  DC-D(b). 

5.  No  connect  is  in  queue({q,r)),  or  lsiatus{{r,q))  =  unknown,  or  CONNECT  is  in 
queue{{r,q)),  by  Claim  3  and  GHS-B(c). 

G.  {q,r)  G  .tubireeifragmcntip)),  by  COM-F. 

7.  lsta.tus{{r,  q))  ^  unknown,  by  Claim  6  and  TAR-A(b). 

8.  If  CONNECT  is  in  que.ue({r,q))  then  no  CONNECT  is  in  queue{{q,r)),  by  Claim  6. 
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9.  If  no  CONNECT  is  in  queue{{r,q))  then  no  connect  is  in  queut{{q,r)),  by  Claims 
5  and  7. 

Claims  4,  8  and  9  give  the  result.  □ 

Lemma  25:  GHS  simultaneously  simulates  the  set  of  automata  {TAR,  DC,  NOT, 
CON)  via  {Mx  :  x  /),  Pghs,  {P'  :  i  G  /}. 

Proof:  By  inspection,  the  types  are  correct.  By  Corollaries  18,  20,  22  and  24,  P{ 
is  a  predicate  true  in  every  reachable  state  of  x,  for  all  x. 

(1)  Let  s  be  in  start{GHS).  Obviously  Pghs  is  true  in  s  and  >Sx(s)  is  in 
start{x)  for  all  x. 

(2)  Obviously,  Ax(s,7r)\ext{x)  =  n\ext(GHS)  for  all  x. 

(3)  Let  (s',7r,  s)  be  a  step  of  GHS  such  that  PoHsi^') 

are  true.  By  Corollaries  18,  20,  22  and  24,  we  can  assume  the  HI,  COM,  GC,  TAR, 
DC,  NOT  and  CON  predicates  are  true  in  s',  as  well  as  the  GHS  predicates.  Below, 
we  show  (3a),  that  Pghs  is  true  in  s  (only  for  those  predicates  whose  truth  in  s  is 
not  obvious),  and  either  (3b)  or  (3c),  as  appropriate,  that  the  step  simulations  for 
TAR,  DC,  NOT,  and  CON  are  correct. 

i)  TT  is  InTree({p,q)).  Let  /  =  fragment{p)  in  s'. 

(3a)  Obviously,  Pghs  is  true  in  s. 

(3b)/(3c)  Ax{s',-x)  =  TT  for  all  x. 

Claims  about  s': 

1.  answered({p,q))  =  false,  by  precondition. 

2.  htatus{{p,q))  =  branch,  by  precondition. 

3.  nstatus{p)  ^  sleeping,  by  Claim  2  and  GHS-A(c). 

4.  awake  =  true,  by  Claim  3. 

5-  {Piq)  €  subiree{f)  or  {p,q)  =  minlink{f),  by  Claim  2  and  TAR-A(a). 

TT  is  enabled  in  Sx{s')  by  Claims  1  and  2  for  x  =  TAR,  and  by  Claims  1,  4  and 
5  for  all  other  x.  Obviously,  its  effects  are  mirrored  in  Sx{s)  for  all  x. 

ii)  TT  is  NotInTree((p,q)).  Let  /  =  fTagment{p)  in  s'. 

(3a)  Obviously,  Pghs  is  true  in  s. 
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(3b)/(3c)  >li;(s,7r)  =  TT  for  all  x. 


Claims  about  s': 

1.  answered{{p,q))  =  false,  by  precondition. 

2.  lstatus({p,q))  =  rejected,  by  precondition. 

3.  nstatus{p)  ^  sleeping,  by  Claim  2  and  GHS-A(c). 

4.  awake  =  true,  by  Claim  3. 

5.  fragment{p)  =  fragment{q)  and  {p,q)  ^  subtree{f),  by  Claim  2  and  TAR-B. 

7r  is  enabled  in  Sx{s')  by  Claims  1  and  2  for  x  =  TAR,  and  by  Claims  1,  4  and 
5  for  all  other  x.  Obviously  its  effects  are  mirrored  in  iSi(s)  for  all  x. 

iii)  TT  is  Start(p).  Let  /  =  fragment{p). 

Case  1:  nstatus{p)  ^  sleeping  in  s'.  Ax{s','k)  —  tt  for  all  x.  Obviously 

Sx{s'^ttSx{s)  is  an  execution  fragment  of  x  for  all  x,  and  Pghs  is  true  in  s. 

Case  2:  nstatus{p)  =  sleeping  in  s'. 

(3b)/(3c)  For  all  x,  Ax(s',Tr)  =  tt  fj.  ChangeRoot{f),  where  tx  is  the  same  as 
5r(s')  except  that  awake  =  true  in  tx-  For  all  x,  we  must  show  that  tt  is  enabled 
in  Sx{s')  (which  is  true  because  tt  is  an  input  action),  that  its  effects  are  mirrored 
in  tx  (which  is  true  by  definition  of  tx),  that  ChangeRoot{f)  is  enabled  in  tx,  and 
that  its  effects  are  mirrored  in  Sx{s). 

Let  I  be  the  minimum-weight  external  link  of  p.  (It  exists  by  GHS-A(a)  and 
the  assumption  that  1V'(G)|  >  1.) 

Claims  about  s'  : 

1.  nstatus{p)  =  sleeping,  by  assumption. 

2.  subtree(f)  =  {p},  by  Claim  1  and  GHS-A. 

3.  minlink{f)  =  I,  by  Claim  2  and  definition. 

4.  lstatus{{p,q))  =  unknown,  for  all  q,  by  Claim  1  and  GHS-A(c). 

5.  rootchangei{f)  =  false,  by  Claim  4  and  TAR-H. 

Claims  about  tx,  for  all  x: 

6.  awake  =  true,  by  definition. 

7.  subtree{f)  =  {p},  by  Claim  2. 

8.  rootchangcd{f)  =  false,  by  Claim  5. 
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I  9.  minlink{f)  =  I,  by  Claim  3. 

ChangeRooi{f)  is  enabled  in  tcoN  by  Claims  6,  7  and  8.  For  all  other  x, 
ChangeRoot(f)  is  enabled  in  tx  by  Claims  6,  8  and  9. 

Claims  about  s: 

10.  connect(O)  is  in  queue(l),  by  code. 

11.  btatus{l)  =  branch,  by  code. 

12.  rootchanged{f)  =  true,  by  Claims  10  and  11  and  choice  of  1. 

For  most  of  the  other  derived  variables,  it  is  obvious  that  they  are  the  same  in  s' 
and  s.  Although  nstatus{p)  changes,  dcsiatus[p)  remains  unchanged.  Even  though 
Istatus(l)  changes  to  branch,  MSF  does  not  change,  since  a  connect  message  is  in 
queue(l). 

For  X  =  TAR,  the  effects  of  ChangeRooi(f)  are  mirrored  in  Sx(s)  by  Claims 
11  and  12.  For  x  =  CON,  the  effects  of  ChangeRooi{f)  are  mirrored  in  Sx{s)  by 
Claim  10.  For  all  other  x,  the  effects  of  ChangeRoot{f)  are  mirrored  in  Sx{s)  by 
Claim  12. 


(3a)  More  Claims  about  s': 

13.  lstatus({q, p))  ^  rejected,  for  all  q,  by  Claim  2  and  TAR-B. 

14.  If  lstatus{{q,p))  =  branch,  then  a  connect  is  in  queue{{q,p)),  for  all  q,  by 
Claim  2. 

15.  testset{f)  =  0,  by  Claim  3  and  GC-C. 

16.  testlink{p)  =  nil,  by  Claim  15. 

17.  queue(l)  is  empty,  by  Claim  1  and  GHS-A(b). 


GHS-A  is  vacuously  true  since  nstatus{p)  =  found  in  s. 

GHS-B:  vacuously  true  for  connect  added  to  queue{l)  by  Claims  13  and  14; 
vacuously  true  for  any  connect  already  in  queue{reverse{l))  by  Claim  10;  vacuously 
true  for  any  connect  already  in  queue{{q,p)),  for  any  q  such  that  {p,q)  ^  I,  by 
Claim  4. 

GHS-C  is  true  by  Claim  17  and  code. 

GHS-H  is  vacuously  true  by  Claim  16. 
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iv)  TT  is  ChannelRecv(k,m)  or  ChannelSend(k,m).  Obviously  Pghs{s} 
is  true,  and  the  step  simulations  are  correct. 

v)  TT  is  ReceiveConnect((q,p),I).  Let  /  =  fragment{p),  and  g  =  fragment{q) 
in  s' .  We  consider  four  cases.  We  now  show  that  they  are  exhaustive,  i.e.,  that 
/  >  nlevel{p)  is  impossible.  First,  suppose  {q,p)  is  an  external  link  of  g.  By  CON- 
D,  I  —  level{g)  and  {q,p)  =  Tninlink{g).  By  NOT-D,  level{g)  <  nlevel{p).  Second, 
suppose  {q,p)  is  an  internal  link  of  g  =  f.  By  CON-E,  {p,q)  =  core(/),  and 
/  <  level(f).  But  by  NOT-C,  nlevel{p)  >  level(f)  —  1. 

Case  1:  nsiaius{p)  =  sleeping.  This  ceise  is  divided  into  two  subcases.  First  we 
prove  some  claims  true  in  both  subcases.  Let  k  be  the  minimum-weight  external 
link  of  p. 


Claims  about  s': 

1.  connect(/)  is  at  head  of  queuep{{q,p)),  by  precondition. 

2.  nstatus{p)  =  sleeping,  by  assumption. 

3.  suhiree(f)  =  {p},  by  Claim  2  and  GHS-A. 

4.  rootchanged(f)  =  false,  by  Claim  2,  GHS-A(c)  and  TAR-H. 

5.  minlink{f)  =  k,  by  Claim  3  and  definition. 

6.  awake  =  true,  by  Claim  1  and  CON-A. 

7.  No  FIND  is  in  queue{{q,p)),  by  Claim  3  and  DC-D(a). 

8-  /  ^  S')  by  Claim  3. 

9-  (9)P)  is  an  external  link  of  g,  by  Claim  8. 

10.  minlink(g)  =  {q,p),  by  Claims  1  and  9  and  CON-D 

11.  level{g)  <  level{f),  by  Claim  10  and  COM-A. 

12.  1  =  level(g),  by  Claims  1  and  9  and  CON-D. 

13.  levelif)  =  0,  by  Claim  3  and  COM-F. 

14  I  <  0,  by  Claims  11,  12  and  13. 

15.  /  =  0,  by  Claim  14  and  COM-F. 

16.  nlevel{p)  =  0,  by  Claims  3  and  13. 


Subcase  la:  {p,q)  ^  k.  By  Claim  2  and  GHS-A(c),  lstatus({p,q))  =  unknown 
in  s',  and  the  same  is  true  in  s.  This  fact,  together  with  Claims  15  and  16,  shows 
that  the  only  change  is  that  the  connect{/)  message  is  requeued. 
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(3a)  Pqhs  can  be  shown  to  be  true  in  by  an  argument  very  similar  to  that 
for  n  =  Start(p),  Case  2,  since  the  only  change  is  that  the  connect(/)  message  i.s 
requeued.  Claim  7  verifies  that  GHS-C  is  true  in  s. 

(3b)/(3c)  For  all  x,  =  ChangeRoot{f).  Forx  =  CON,  ChangeRoot{f) 

is  enabled  in  Sx(s')  by  Claims  6,  4  and  3;  for  all  other  x,  it  is  enabled  by  Claims  6, 
4  and  5. 

Claims  about  s: 

17.  Istatu3{k)  =  branch,  by  code. 

18.  CONNECT(O)  is  added  to  the  end  of  queue{k),  by  code. 

19.  rootchanged{f)  =  true,  by  Claims  17  and  18  and  choice  of  k. 

For  most  of  the  other  derived  variables,  it  is  obvious  that  they  are  the  same  in  s' 
and  s.  Although  nstatus(.p)  changes,  dcsta.tus(p)  remains  unchanged.  Even  though 
Istatus(k)  changes  to  branch,  MSF  does  not  change,  since  a  connect  message  is 
in  queue{k). 

The  effects  of  ChangeRoot{f)  are  mirrored  in  5j;(s)  by  Claims  17  and  19  for 
X  =  TAR,  by  Claim  18  for  x  =  CON,  and  by  Claim  19  for  all  other  x. 


Subcase  lb:  {p,q)  =  k. 

(3b)/(3c)  For  all  x,  —  ChangeRoot{f)  tx  McTge(f,g),  where  tx  is  the 

result  of  applying  ChangeRoot{  f)  to  Sx{»')-  ChangcRoot{f)  is  enabled  in  Sx{s')  by 
Claims  6,  4  and  3  for  x  =  CON ,  and  by  Claims  6,  4  and  5  for  all  other  x.  Its  effects 
are  obviously  mirrored  in  tx- 

More  claims  about  s' : 

20.  k  =  {p,q),  by  assumption. 

21.  {p,q)  is  an  external  link  of  /,  by  Claim  8. 

22.  rootchanged(g)  =  true,  by  Claim  1  and  Claim  9. 

23.  Only  one  connect  message  is  in  queue{{q,p)),  by  Claims  1  and  9  and  CON-D. 

24.  lstatus{{q,p))  =  branch,  by  Claims  10  and  22  and  TAR-H. 

25.  leveling)  =  0,  by  Claims  12  and  15. 

26.  subtree(g)  =  {</},  by  Claim  25  and  COM-F. 

27.  nlevel{q)  ~  0,  by  Claims  25  and  26. 
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28.  No  INITIATE  message  is  in  queue{{p,  q))  or  queue{{q,p)),  by  Claims  9  and  21  and 
NOT-H(e). 

29.  No  CONNECT  message  is  in  queue{{p,r))  for  any  r  ^  q,  by  Claims  3  and  20  and 
CON-D. 

30.  No  CONNECT  message  is  in  queue{{q,  r))  for  any  r  p,  by  Claims  10  and  26  and 
CON-D. 

Claims  about  tx  '■ 

31.  /  by  Claim  8. 

32.  rootchanged{f)  =  true,  by  definition  of  tx. 

33.  rootchanged{g)  =  true,  by  Claim  22. 

34.  minedge{f)  =  minedge(g)  =  (p,  ?),  by  Claims  5,  10  and  20. 

35.  If  X  =  CON,  then  connect(O)  is  in  cqueue({p,q)),  by  definition  of  tx. 

36.  If  X  =  CON.  then  connect(O)  is  at  the  head  of  cqueue{{q,p)),  by  Claims  1 
and  15. 

Merge{f,g)  is  enabled  in  tx  by  Claims  34,  35  and  36  for  x  =  CON,  and  by 
Claims  31,  32,  33  and  34  for  all  other  x. 

As  we  shall  shortly  show,  MSF  has  changed  —  the  cormected  components 
corresponding  to  /  and  g  have  combined.  Let  h  be  the  fragment  corresponding  to 
this  new  connected  component. 

Claims  about  s: 

37.  No  CONNECT  is  in  queue{{q,p)),  by  Claim  23  and  code. 

38.  lstatus({q,p))  =  branch,  by  Claim  24  and  code. 

39.  (p.q)  G  MSF,  by  Claims  37  and  38. 

40.  subtree{h)  is  nodes  p  and  q  and  the  edge  between  them,  by  Claims  3,  26  and  39. 

41.  initiate!  l,(p,  9), find)  is  in  queue{{p,q)),  by  code. 

42.  levelih)  =  1,  by  Claims  16,  27,  28,  40  and  41. 

43.  core{h)  =  (p,q),  by  Claims  16,  27,  28,  40  and  4  . 

44.  connect(O)  is  in  queue({p,q)),  by  code. 

45.  tests€t(h)  =  {p,q],  by  Claims  41  and  44. 

46.  minlink{h)  =  nil,  by  Claim  45. 

47.  rootchanged{h)  =  false,  by  Claims  29,  30  and  40. 

48.  /  and  g  are  no  longer  in  fragments,  by  Claims  3,  26,  40  and  43. 

The  effects  of  MtTgc.{f,g)  are  mirrored  in  Sx(s)  by  Claims  40,  42,  43,  45,  46. 
47  and  48  for  x  =  TAR-,  by  Claims  40,  41,  42,  43,  45,  47  and  48  for  x  =  DC;  by 


tr;  wj  vr;  uvv-  y:  wsv  v;mv  \ri  vj  wvw 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 

Claims  40,  41,  4b,  47  and  48  for  x  =  NOT]  and  by  Claims  40,  42,  43,  46  and  48  for 
.r  =  CON. 


(3a)  GHS-A:  vacuously  true  for  p  by  code.  By  Claim  1  and  GHS-A(c). 
nstaius{q)  ^  sleeping  in  s']  since  the  same  Is  true  in  s,  changing  q's  subtree  does 
not  invalidate  GHS-A(a). 

GHS-B:  Obviously,  the  only  situation  affected  is  the  connect  added  to 
queue{{p,q}). 

(a)  queue{(p,q))  has  the  correct  contents  in  s  because  of  the  code  and  the  fact 
that  queue{{p,q))  is  empty  in  s'  by  Claim  2  and  GHS-A(b). 

(b)  To  show  that  queue([q,p))  is  empty  in  s,  we  must  show  that  it  contains 
only  the  connect  in  s'.  By  Claim  1  and  GHS-C,  there  is  no  test  or  reject 
in  queue{{q,p)).  By  Claim  2  and  GHS-H,  tesilink{p)  —  nil]  thus,  by  TAR-D,  no 
accept  is  in  queue({q,  p)).  By  Claim  3,  DC'A(g)  and  DC-B(a),  there  is  no  REPORT 
in  queue{{q,p)).  By  Claim  3  and  NOT-H(e),  there  is  no  notify  in  queue{{q,p)). 
By  Claim  3  and  CON-C,  there  is  no  changeroot  in  queuf.{{q,p)).  By  Claim  1. 
CON-D  and  CON-E,  there  is  only  one  connect  in  quene({q,p)). 

(c)  nstatus{p)  ^  find  in  .s  by  code. 

(d)  By  Claims  16  and  27,  nlevcl{p)  =  nlevel{q)  =  0. 

GHS-C:  No  FIND  is  in  queiie{{p,q))  in  s'  by  Claim  3  and  DC-D(a).  No  REJECT 
is  in  queue{{p,q))  in  s'  by  Claim  3  and  TAR-G.  No  test(/, c),  for  any  I  and  c.  is 
in  queue{{p,q))  in  s',  because  by  Claims  25  and  13  and  TAR-E(b)  and  TAR-E(c), 
/  =  0;  yet  by  TAR-M,  I  >  1. 

GHS-D:  By  Claim  42. 

GHS-E:  By  code  for  the  INITIATE  ad<led  to  qupuc({p,  q)).  By  Claim  28,  this  is 
the  only  relevant  message  affected. 

GHS-H  is  true  in  s  since  nstaUis{p)  goes  from  sleeping  to  found,  and  testlink(p) 
is  unchanged. 

GHS-I:  By  Claim  45.  p  and  q  are  both  in  tr.Hsetih)  in  s.  We  now  show  that 
n.ftatuAp)  ^  find  and  n.'<tatus{q)  ^  find.  Then  by  Claim  40,  no  node  in  subtrce(li)  is 
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up-to-date,  so  the  predicate  is  vacuously  true  (for  h).  By  code,  dcstatus{p)  =  found. 
By  Claim  10  and  GC-C,  testset{g)  =  0  in  s'-,  by  Claim  26,  no  REPORT  message  is  in 
sxibtreeig)  in  s' .  Thus,  by  DC-I(b),  dcstatus(q)  ^  find  in  s' . 

GHS-J:  vacuously  true  by  Claims  40  and  45  for  p  and  q.  No  relevant  change 
for  any  other  node. 

No  change  affects  the  rest. 


Case  2:  nstaius{p)  ^  sleeping,  I  =  nlevel(p),  and  no  CONNECT  message  is  in 
qutXLe{  {p,  q) )  in  s' . 

Subcase  2a:  l3tatus{{p,q))  =  unknown  in  s'.  The  only  change  in  going  from  s' 
to  s  is  that  the  CONNECT  message  is  requeued. 

(3a)  The  only  GHS  predicates  affected  are  GHS-B(a)  and  GHS-C.  By  TAR- 
A(b),  {p,q)  ^  subtree{f).  Thus,  by  DC-D(a),  no  FIND  is  in  queue{{q, p))  in  s',  and 
the  predicates  are  still  true  in  s. 

(3b;/(3c)  ^i;(s',7r)  is  empty  for  all  x.  We  now  show  that  Sx(s')  =  Si(s) 
for  all  X,  by  showing  that  cqueue{{q,p))  contains  only  the  one  CONNECT  message 
in  s'.  By  TAR-A(b),  {p,q)  is  not  in  MSF.  Thus,  by  CON-C,  no  changeroot 
is  in  cqueud  {i],p)).  By  CON-D  and  CON-E,  only  one  connect  message  is  in 
cqueue[  {q,p)). 
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Subcase  2b:  l3tatus{{p,q))  ^  unknown  in  s'. 

(3b)/(3c)  Atar{^' ■  ’i^)  ii’  empty,  and  .4a-(s',7r)  =  AfterMerge{p,q)  for  all  other 


Claims  about  s' : 

1.  co.NNECT  is  at  head  of  queuep{{q,p)),  by  precondition. 

2.  Tistatus(p)  ^  sleeping,  by  assumption. 

3.  Tilevel{p)  =  I.  by  assumption. 

4.  No  coNNlX'  l'  is  in  qui  u(:(  {]>,(;)),  by  assumption. 

5.  lstatus({p.  q))  ^  unknown,  by  assumption. 

G.  If  lstatu3{(p,q))  =  rejected,  then  fragm.ent(p)  —  fragment{q),  by  TAR,-B. 
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7.  If  lstaius{{p,q))  =  branch,  then  {p,q)  €  subtTee(f),  by  Claim  4  and  definition  of 
MSF. 

8.  {p,q)  is  an  internal  link  of  /,  by  Claims  5,  6  and  7. 

9-  ?)  =  core{f),  by  Claims  1  and  8  and  CON-E. 

10.  lNlTlATE(n/eve/(p)  +  l,(p,5),find)  is  in  queue({q,p)),  by  Claims  1,  3,  4  and  5 
and  GHS-B(a). 

11.  No  iNiTiATE(7det>e/(p)  -f  l,(p,  </),*)  is  in  queue{{p,  q)),  by  Claims  1,  3,  4  and  5 
and  GHS-B(b). 

12.  dcstatus{q)  ^  find,  by  Claims  1,  4  and  5  and  GHS-B(c). 

13.  No  REPORT  is  in  qneue{{q,p)),  by  Claims  1,  4  and  5  and  GHS-B(a). 

14.  rJevel{q)  =  I,  by  Claims  1,  4  and  5  and  GHS-B(d). 

AfterMerge(p,q)  is  enabled  in  S^is')  by  Claims  9,  10,  11,  12  and  13  for  x  =  DC; 
by  Claims  3,  9,  10,  11  and  14  for  x  =  NOT;  and  by  Claims  1  and  9  for  x  =  CON. 

Claims  about  s: 

15.  CONNECt(/)  is  dequeued  from  queuep({q,p)),  by  code. 

16.  FIND  is  in  queue({p,q)),  by  code. 

17.  lNlTiATE(n;eue/(p)  +  l,(p,g),find)  is  in  qucue({p,q)),  by  code. 

The  only  derived  variables  that  are  not  obviously  unchanged  are  testset{f), 
levelif)  and  core(/).  Claims  15  and  16  show  that  testset(f)  is  unchanged.  Claims 
10  and  17  show  that  level(f)  and  core(f)  are  unchanged. 

The  effects  of  AfterMerge{p,q)  are  mirrored  in  S^is)  by  Claim  16  for  x  =  DC; 
by  Claim  17  for  x  =  NOT;  and  by  Claim  15  for  x  =  CON.  It  is  easy  to  sec  that 


(3a)  GHS-A:  By  Claim  2,  adding  a  message  to  a  queue  of  p  does  not  invalidate 
GHS-A(b). 

GHS-B:  By  Claim  8  and  CON-E,  there  is  only  one  connect  message  in 
queue((q,p))  in  s'.  Since  it  is  removed  in  s,  the  predicate  is  vacuously  true  for 
a  CONNECT  in  queuc((q,p)).  By  Claim  4,  the  predicate  is  vacuously  true  for  a 
CONNECT  in  queue({p,q)). 

GHS-C:  By  Claim  4,  vacuously  true  for  quf:ue({p,q)). 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 


GHS-D:  By  Claim  10  and  GHS-D,  nleve^p)  +  1  =  level(f).  This  together  with 
Claim  9  gives  the  result. 

GHS-E  is  true  by  code. 

No  change  affects  the  rest. 


Case  S:  nsiatus{p)  ^  sleeping,  I  =  nlevel{p),  and  a  connect  message  is  in 
queue{{p,  q))  in  s' . 

(3b)/(3c)  >lr(5',7r)  =  Merge{f,g)  for  all  x. 

Claims  about  s' : 

1.  connect(/)  is  at  head  of  queue({q,p)),  by  precondition. 

2.  I  =  nlevel(p),  by  assumption. 

3.  coNNECT(m)  is  in  queue{{p,q)),  by  assumption. 

4.  {p,  q)  is  an  external  link  of  p,  by  Claims  1  and  3. 

5.  {q,p)  is  an  external  link  of  q,  by  Claims  1  and  3. 

6.  f  ^  g,  by  Claim  4. 

7.  rootchanged(f)  —  true,  by  Claims  1  and  4. 

8.  rootchanged(g)  —  true,  by  Claims  3  and  5. 

9-  (9iP)  =  Tninlink{g),  by  Claims  1  and  5  and  CON-D. 

10.  {p,q}  =  minlink{f),  by  Claims  3  and  4  and  CON-D. 

11.  minedge{f)  =  minedge{g),  by  Claims  9  and  10. 

12.  m  —  level{f),  by  Claims  3  and  4  and  CON-D. 

13.  nlevel{p)  =  level{f),  by  Claim  10  and  NOT-D. 

14.  m  =  l,hy  Claims  2,  12  and  13. 

Merge{f,g)  is  enabled  in  ScoNi^')  by  Claims  1,  3,  4,  5  and  14,  and  for  all 
other  X  by  Claims  6,  7,  8  and  11. 

15.  Only  one  connect  message  is  in  qtteue{{q,p)),  by  Claim  1  and  CON-D. 

16.  lsiatus{{q,p))  =  branch,  by  Claims  8  and  9  and  TAR-H. 

17.  lstatus{{p,  q))  =  branch,  by  Claims  7  and  10  and  TAR-H. 

18.  level{g)  —  /,  by  Claims  1  and  5  and  CON-D. 

19.  If  initi.\te(/',  c,  *)  is  in  subtree{f),  then  I'  <  I,  by  Claims  12  and  14. 

20.  If  INlTlATE(r,  c,  *)  is  in  subtree{g).  then  I'  <  I,  by  Claim  18. 

21.  nlevcl[r)  <  /  for  all  r  6  nodes{f),  by  Claims  12  and  14. 
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22.  nlevel(r)  <  I  for  all  r  £  nodes{g),  by  Claim  18. 

23.  No  INITIATE  message  is  in  queue{{q,p))  or  queue({p,q)),  by  Claims  4  and  5  and 
NOT-H(e). 

24.  No  CONNECT  is  in  queue{{r,t)),  where  r  6  nodes(f  ),  and  {r,t)  ^  {p,q),  by  Claim 
10  and  CON-D  and  CON-F. 

25.  No  CONNECT  is  in  queue{{r,t)),  where  r  6  nodes{g)  and  {r,t)  ^  {q,p),  by  Claim 
9  and  CON-D  and  CON-F. 

26.  {p,q)  7^  core{f),  by  Claim  4  and  COM-F. 

27.  {p,q)  7^  core(g),  by  Claim  5  and  COM-F. 

As  we  shall  shortly  show,  MSF  has  changed  —  the  connected  components 
corresponding  to  /  and  g  have  combined.  Let  h  be  the  fragment  corresponding  to 
this  new  connected  component. 

Claims  about  s: 

28.  No  CONNECT  is  in  queue({q,p)),  by  Claim  15  and  code. 

29.  lstatus{{q,  p))  =  branch,  by  Claim  16. 

30.  {p,q)  6  MSF,  by  Claims  28  and  29. 

31.  subtree{h)  is  the  union  of  the  old  subtree(f)  and  3ubtree{g)  and  {p,q),  by  Claim 
30. 

32.  initiate(/  +  l,(p,q),£nd)  is  in  queue((p,q) ),  by  Claim  2  and  17  and  code. 

33.  if  initiate(/',  c,  *)  is  in  subtree{h),  then  /'  <  /  4- 1,  by  Claims  19,  20,  23,  31  and 
32. 

34.  nlevel(r)  <  I  for  all  r  £  nodes{h),  by  Claims  21,  22  and  31. 

35.  level(h)  =  /  4-  1,  by  Claims  33  and  34. 

36.  core{h)  =  {p,q),  by  Claims  19,  20,  23,  31,  32,  and  34. 

37.  connect(/)  is  in  que.ue{{p,q)),  by  Claims  3  and  14 

38.  testset{h)  —  nodes{h),  by  Claims  31,  32  and  37. 

39.  minlink{h)  =  nil,  by  Claim  38. 

40.  Tootchanged{h)  =  false,  by  Claims  24,  25  and  31. 

41.  /  and  g  are  no  longer  in  fragments,  by  Claims  26,  27,  31  mid  36. 

The  effects  of  Merge{f,g)  are  mirrored  in  Sr{s)  by  Claims  31,  35,  36,  38,  39. 
40  and  41  for  TAR]  by  Claims  31,  35,  36,  38,  40  and  41  for  DC]  by  Claims  31,  39, 
40  and  41  for  NOT]  and  by  Claims  28,  31,  35.  36,  39,  and  41  for  CON. 


(3a)  GHS- A:  Vacuously  true  for  p  by  a-ssumption.  Vacuously  true  for  q  by 
Claim  1  and  GHS-A(b). 
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GHS-B:  Obviously,  the  only  situation  affected  is  the  connect  in  queue{{p,q)). 

(a)  We  must  show  that  in  s',  queue{{p,q))  consists  only  of  a  connect(/)  mes¬ 
sage.  (The  code  adds  the  appropriate  initiate  message.)  By  Claim  3  and  GHS-C, 
no  test  or  reject  is  in  queue{{p,q)).  By  Claim  4,  DC-A(g)  and  DC-B(a),  no 
REPORT  is  in  queue({p,q)).  By  Claim  23,  no  notify  is  in  queue{{p,q)).  By  Claim  4 
and  CON-C,  no  changeroot  is  in  queue{{p,q)).  By  Claims  3  and  14,  a  connect(/) 
message  is  in  queue{{p,  q)),  and  by  CON-E  and  CON-F,  it  is  the  only  connect  mes¬ 
sage  in  that  queue. 

(b)  A  very  similar  argument  to  that  in  (a)  shows  that  ins',  queue{{q,p))  consists 
only  of  a  connect(/)  message.  (Since  it  is  removed  in  s,  the  queue  is  then  empty.) 

(c)  If  \nodes{f)\  >  1,  then  dcaiaius{p)  ^  find  by  Claim  10.  Suppose 
subtree{f)  =  {p}.  Obviously,  no  report  message  is  headed  toward  p  in  s'.  By 
Claim  10  and  GC-C,  testset{f)  =  0  in  s'.  Thus,  by  DC-I(b),  dcstatus{p)  ^  find  in 
s'.  In  both  cases,  nstatus{p)  does  not  change  in  s. 

(d)  nlevel{p)  =  /  in  s'  by  assumption.  nlevel{q)  =  I  in  s'  by  Claims  9  and  18 
and  NOT-D.  These  values  are  unchanged  in  s. 

GHS-C:  By  the  same  argument  as  in  GHS-B(a),  adding  the  initiate  message 
is  OK. 

GHS-D:  by  Claim  35. 

GHS-E:  By  code,  for  the  initiate  added.  By  Claim  23,  there  are  no  leftover 
INITIATE  messages  affected  by  the  change  of  core. 

GHS-I:  We  show  no  r  €  nodes(h)  in  s  is  up-to-date.  By  Claim  38,  r  is  in 
iestset{h).  By  the  same  argument  as  in  GHS-B(c),  dcstatus{r)  7^  find. 

GHS-J;  Vacuously  true  by  Claim  38. 

No  change  affects  the  rest. 

Case  If-.  nstatus{p)  7^  sleeping,  and  1  <  nlevel{p)  in  s' . 

(3b)/(3c)  >Ij.(.s',7r)  =  Absorb(f,g)  for  all  .c. 

Claims  about  s' ; 
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1.  connect(/)  is  at  head  of  queue{{q,p)),  by  precondition. 

2.  I  <  nltvel{p),  by  assumption. 

3.  lstatus[{p,  q))  =  unknown,  or  a  connect  is  in  queuc.{{j),q)),  by  Claims  1  and  2 
and  GHS-B(d). 

4.  {q,p)  is  an  external  link  of  g,  by  Claims  1  and  3. 

5.  minlink{g)  =  {q,p),  by  Claims  1  and  4  and  CON-D. 

6.  I  =  level(g),  by  Claims  1  and  4  and  CON-D. 

7.  rootchanged{g)  =  true,  by  Claims  1  and  4. 

8.  nlevel{p)  <  level{f),  by  definition  of  level{f). 

9.  level{g)  <  level{f),  by  Claims  2,  6  and  8. 

10.  btatus{{q, p))  =  branch,  by  Claims  5  and  7  and  TAR-H. 

11.  If  initiate(/',  c,  *)  is  in  subtree{g),  then  V  <  level{f),  by  Claims  6  and  9. 

12.  If  initiate(/',  c,  *)  is  in  subtree(f),  then  I'  <  level{f),  by  definition  of  level{f). 

13.  nlevelir)  <  level{f),  for  all  r  G  nodes{g),  by  Claims  6  and  9. 

14.  nlevel{r)  <  level{f),  for  all  r  G  nodes{f),  by  definition  of  level{f). 

15.  No  initiate  message  is  in  queue{{q,p))  or  queue{{p,q)),  by  Claim  4  and  NOT- 
H(e). 

16.  No  connect  message  is  in  queue{{r,t)),  where  r  G  nodes{g),  {r,t)  ^  {q,p),  by 
Claim  5  and  CON-D  and  CON-F. 

17.  /  ^  by  Claim  4. 

18.  1  >  0,  by  Claim  6  amd  COM-F. 

19.  level{f)  >  0,  by  Claims  18  and  9. 

20.  core{f)  ^  nil,  by  Claim  19  and  COM-F. 

21.  core{f)  G  3ubtree{f),  by  Claim  20  and  COM-F. 

22.  If  subtree{g)  =  {q},  then  core{g)  =  nil,  by  COM-F. 

23.  if  sxibtree{g)  ^  {q},  then  core{g)  G  subtree{g),  by  COM-F. 

24.  Only  one  connect  message  is  in  queue{{q,p)),  by  Claims  1  and  4  and  CON-D. 

25.  testset{g)  =  0,  by  Claim  5  and  GC-C. 

26.  testlink{r}  =  nil,  for  all  r  G  nodes{g),  by  Claim  25. 

27.  If  testlink{p)  ^  nil,  then  p  G  te3t3et{f),  by  definition. 

28.  If  testlink(p)  ^  nil,  then  n3iaiu3{p)  =  find,  by  GHS-H. 

29.  If  n3tatu3{p)  =  find,  then  no  find  message  is  headed  toward  p,  by  DC-D(b)  and 
DC-H(a). 

30.  lstatus{{r,t))  ^  unknown,  where  (r,/)  =  core{f),  by  Claim  21  and  TAR-A(b). 

31.  If  connect  is  in  queuc({r,t)},  then  no  CONNECT  is  in  queue{{t,r)).  where 
(r.t)  =  core{f),  by  Claim  21. 

32.  If  nstatusip)  —  find  and  p  G  3ubtre.e(r),  then  n3tatu3{r)  =  find,  for  all  r,  by 
DC-H(a). 
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33.  If  nstatus{p)  =  find,  then  no  connect  is  in  queue({r,t)),  where  (r,t)  =  core{f) 
and  p  G  subtree(r),  by  Claims  30,  31  and  32  and  GHS-B(c). 

34.  If  nstatus{p)  =  find  and  p  G  testset{f),  then  testlink{p)  ^  nil,  by  Claims  29  and 
33. 

Absorb{f,  g)  is  enabled  in  Sx(s')  by  Claims  7,  9  and  5  for  TAR  and  DC',  by 
Claims  7,  6  and  2,  and  5  for  NOT;  and  by  Claims  1,  6  and  9,  and  5  for  CON. 

As  we  shall  shortly  show,  MSF  has  changed  —  the  connected  components 
corresponding  to  /  and  g  have  combined.  Let  h  ])e  the  fragment  corresponding  to 
this  new  connected  component.  We  shall  show  that  h  =  f,  i.e.,  that  the  core  of  h 
in  s  is  non-nil,  and  is  the  same  as  the  core  of  /  in  s'. 

Claims  about  s: 

35.  No  CONNECT  message  is  in  queue({q,p)),  by  Claim  24  and  code. 

36.  Istatu3{{q,p))  =  branch,  by  Claim  10. 

37.  {p,q)  €  MSF,  by  Claims  35  and  36. 

38.  subtree{h)  is  the  union  of  the  old  subtTee{f)  and  subtree{g)  and  {p,q),  by  Claim 
37. 

39.  \mi\Ki:E{nlevtl{p),nfrag{p),nsiaius{p))  is  in  queue{{p,q)),  by  code. 

40.  level(h)  =  old  level(f),  by  Claims  11,  12,  13,  14,  15  and  38. 

41.  core(h)  =  old  core(f),  by  Claims  11,  12,  13,  14,  15  and  38. 

42.  h  =  f,hy  Claim  41. 

43.  g  0  fragments,  by  Claims  38  and  41. 

44.  liOTiFY {nlevel{p),nfrag{p))  is  added  to  queue^{{p,q)),  by  code. 

First,  we  discuss  how  testset{f)  changes.  If  p  G  testset{f)  in  s'  because  of  a 
FIND  or  CONNECT  message,  then  every  node  in  nodes{g)  in  s'  is  in  iestsei(f)  in  s 
because  of  the  same  find  or  connect  message.  If  p  G  testset{f)  in  s'  because 
testlink{p)  ^  nil,  then  a  FIND  message  is  added  to  queue{{p,q})  in  s,  causing  every 
node  formerly  in  nodes(g)  to  be  in  testsetlf).  If  p  is  not  in  testset{f)  in  s' ,  then  no 
FIND  message  is  headed  toward  p,  and  no  CONNECT  message  is  in  queue{{r,t)),  with 
p  G  subtree{r);  thus,  Claim  25  implies  that  in  s,  no  node  formerly  in  nodes{g)  is  in 
testset(f). 

By  the  previous  paragraph,  and  inspection,  the  effects  of  Absorb(f,g)  are  mir¬ 
rored  ill  Sj-{s)  by  Claims  36,  38,  42  and  43  for  x  =  TAR;  by  Claims  27,  28,  34,  38, 
42  and  43  for  x  =  DC;  by  Claims  38.  42,  43  and  44  for  .r  =  NOT;  and  by  Claims 
35,  38,  42  and  43  for  x  =  CON. 
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(3a)  GHS-A  is  vacuously  true  in  .s  by  assumption  that  nstatus{p)  ^  sleeping  in 
s'. 

GHS-B:  vacuously  true  for  a  connect  in  queue{{q,p))  by  Claim  35.  By  Claim 
4  and  CON-D,  if  connect  is  in  queue{{p,q)),  then  minlink{f)  =  {p,q).  But  by 
Claim  9  and  COM- A,  this  cannot  be.  Thus  the  predicate  is  vacuously  true  for  a 
CONNECT  in  queue({p,  q)) . 

GHS-D:  Suppose  nstatus{p)  =  find  in  s'.  By  DC-I(a),  p  is  up-to-date,  a.nd  by 
GHS-I,  nlevel(p)  =  level(f). 

GHS-E:  Vacuously  true  by  Claims  4,  21  and  41. 

GHS-I:  As  argued  in  GHS-J,  no  node  formerly  in  nodes{g)  is  up-to-date  in  s. 
No  change  affects  nodes  formerly  in  nodes{f). 

GHS-J:  Let  r  be  any  node  in  nodes{f)  in  s'.  If  r  is  up-to-date,  r  ^  testset(f), 
and  {r,t)  is  the  minimum-weight  external  link  of  r,  then  nlevel{r)  <  nltvtl{i)  by 
GHS-J.  By  Claim  9,  fragme.nt{t)  ^  g.  Thus  in  s,  {r,t)  is  still  external.  By  DC- 
L,  inbranch{r)  is  in  subtree^g)  (or  nil)  for  all  r  £  node${g)  in  s'.  By  Claim  21, 
core{f)  £  subtree{f)  in  s',  and  by  Claim  41,  core{f)  is  unchanged  in  s.  Thus 
following  inbranches  in  s  from  any  r  formerly  in  nodes(g)  does  not  lead  to  core(f), 
so  no  r  formerly  in  nodes{g)  is  up-to-date  in  s. 

No  change  affects  the  rest. 


vi)  TT  is  Receivelnitiate((q,p),l?c,st).  Let  f  =  fragment{p). 
(3b)/(3c)  Case  1:  st  =  find.  ArAR{s'.T^)  =  SendTest(p). 


If  there  is  a  link  {p,  r)  such  that  lstatus{  {p,  r))  —  unknown  in  s',  then  ADci-^',  tt) 
=  ReceiveFind{{q, p))]  otherwise  Adc{s' =  ReceiveFind{{q,p))  t  TestNode{p), 
where  t  is  the  state  resulting  from  applying  ReceiveFind{{q, p))  to  Sdc{^')- 


AnotI-s'iTt)  =  ReceiveNotify{{q,p),l,c). 

AcoN{s',n)  is  empty. 

Claims  about  s'; 

1.  INITIATE(/, c,find)  is  at  the  head  of  queuep{{q,p)),  by  precondition. 

142 


I '  *ACltfkA*4 


L**^. ■*#-«•#. 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 

2-  (PiS)  G  subtree^/),  by  Claim  1  and  DC-D(a). 

3.  minlink(f)  =  nil,  by  Claims  1  and  2. 

4.  If  lstatus{{p,r))  ~  rejected  then  fragment{p)  =  fragmeni{r),  for  all  r,  by  TAR-B. 

5.  If  lstattLs{{p,r))  =  branch,  then  (p,r)  G  subtree(f),  for  all  r,  by  Claim  3  and 
TAR-A(a). 

6.  If  (p,  r)  6  subtree(f),  then  lsiatus{(p,r))  =  branch  for  all  r,  by  TAR-A(b). 

7.  If  |5|  =  0  and  no  lstatus({p,r))  is  unknown,  then  p  ^  mw-root{f),  by  definition 
of  mw-Toot  and  Claims  4,  5  and  6. 

8.  p  G  testset{f),  by  Claims  1  and  2. 

9.  dcstatu3{p)  =  unfind,  by  Claim  1  and  DC-D(b). 

10.  iesilink(p)  =  nil,  by  Claim  9  and  GHS-H. 

11.  /  =  level{f),  by  Claims  1  and  2  and  GHS-D. 

12.  c  =  core{f),  by  Claims  1  and  11  and  NOT-A. 

13.  No  other  find  message  is  headed  toward  p,  by  Claims  1  and  2  and  DC-S. 

14.  core{f)  ^  nil,  by  Claim  2  and  COM-F. 

Let  (r, f)  =  coTe{f). 

15.  (r,  t)  G  subiree{f),  by  Claim  14  and  COM-F. 

Let  p  be  in  subtree{r). 

16.  If  {p,q)  ^  (r,t)  then  dcstaius{q)  =  find,  by  Claim  1  and  DC-D(a). 

17.  If  {p,q)  ^  then  dcstatus{r)  =  find,  by  Claim  16  and  DC-H(a). 

Tf  zk  (r,t)  then  either  no  connect  is  in  queue{{r,t)),  or  lstatus{{t,r))  = 
unknown,  or  a  connect  is  in  queue{{t,rj)^hy  CTaim"l7  and  GHS3(c). 

19.  If  {p,q)  =  (r,t)  then  either  no  CONNECT  is  in  queue{{r,t)),  or  lstatus{{t,r))  = 
unknown,  or  a  connect  is  in  queue{{t,r)),  by  Claim  1  and  GHS-B(b). 

20.  Either  no  connect  is  in  qu€ue{{?-,t)),  or  l3iattts({t,r))  =  unknown,  or  a 
connect  is  in  queue{{t,r)),  by  Claims  18  and  19. 

21.  l3tatus{{t,r))  ^  unknown,  by  Claim  15  and  TAR-A(b). 

22.  If  connect  is  in  queue{{t,r))  then  no  CONNECT  is  in  queue{{r,t)),  by  Claim  15. 

23.  If  no  CONNECT  is  in  queue({t,r))  then  no  connect  is  in  queue{{r ,  t)) ,  by  Claims 
20,  21  and  22. 

24.  No  CONNECT  is  in  queue{{r,t)),  by  Claims  22  and  23. 

25.  If  {p,q)  7^  (F,t)  then  AfterMerge(p,q)  is  not  enabled  (for  DC  or  NOT),  since 
(r,t)  =  core(f). 

26.  If  {p,q)  —  {r,t)  then  AfteTMerge.{p,q)  is  not  enabled  (for  DC  or  NOT),  by 
Claim  24  and  GHS-L. 
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27.  If  there  is  no  xmknown  link  of  p,  then  there  is  no  external  link  of  p,  by  Claim.s 
4  and  5. 

28.  If  (p,  q)  ^  (r, ),  then  q  is  up-to-date,  by  Claim  16  and  DC-I(a). 

SendTest{p)  is  enabled  in  Star{^')  by  Claims  8  and  10.  ReceiveFind{{q, p) )  is 
enabled  in  S Dei’S')  by  Claims  1,  25  and  26.  Receive Notify{{q,p),  I,  c)  is  enabled  in 
^Noris')  by  Claims  1,  25  and  26. 

Claims  about  t:  (only  defined  when  there  are  no  unknown  links  of  p  in  s') 

29.  p  €  testset{f),  by  Claim  8. 

30.  There  is  no  external  link  of  p,  by  Claim  27. 

31.  dcstatusip)  =  find,  by  definition  of  t. 

TestNode[p)  is  enabled  in  t  by  Claims  29,  30  and  31. 

Claims  about  s: 

32.  levelif)  =  I,  by  Claim  11  and  code. 

33.  coreif)  =  c,  by  Claim  12  and  code. 

34.  No  FIND  message  is  headed  toward  p,  by  Claim  13  and  code. 

35.  No  CONNECT  is  in  queue({t,r)),  by  Claim  24  and  code. 

36.  There  is  no  unknown  link  of  p  (in  s')  if  and  only  if  testlinkip)  =  nil  (in  s),  by 
Claim  10  and  code. 

37.  There  is  no  unknown  link  of  p  (in  s')  if  and  only  if  p  ^  testset(f)  (in  s),  by 
Claims  34,  35  and  36. 

38.  If  |5(  >  0  (in  s')  then  a  find  message  is  in  sabtree{f),  by  Claim  5  and  code. 

39.  If  15}  =  0  and  there  is  no  unknown  link  of  p  (in  s'),  then  p  ^  mw-rooi{f)  (in  s), 
by  Claim  7  and  code. 

40.  If  |5(  =  0  and  there  is  no  unknown  link  of  p  (in  s'),  then  either  a  REPORT 
message  is  headed  toward  mw-root{f),  or  there  is  no  external  link  of  /  (in  s),  by 
Claims  28  and  39  and  code. 

41.  If  there  is  an  unknown  link  of  p  (in  s'),  then  nstatus{p)  =  find  (in  s),  by  code. 

42.  minlink{f)  =  nil,  by  Claims  38,  40  and  41. 

The  changes  (or  lack  of  changes)  to  the  remaining  derived  variables  are  obvious. 

The  effects  of  SendTest{p)  are  mirrored  in  Star{s)  by  Claims  11,  12,  and  37 
for  the  changes,  and  Claims  32,  33,  3  and  42  for  the  lack  of  changes.  If  there  is 
an  unknown  link  of  p  in  s',  then  the  effects  of  Receive Find{{q,p))  are  mirrored  in 
^Dcis)  by  Claims  5,  6,  36  and  37  for  changes,  and  Claims  3,  11,  12,  32,  33,  37  and 
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42  for  lack  of  changes.  If  there  is  no  unknown  link  of  p  in  s',  then  the  effects  of 
ReceiveFind{{q,p))  followed  by  Te3tNode(p)  are  mirrored  in  Socis)  by  Claims  5,  6, 
36  and  37  for  changes,  and  Claims  3,  11,  12,  32,  33  and  42  for  lack  of  changes.  The 
effects  of  ReceiveNoUfy{{q,p),  l,c)  are  mirrored  in  Claims  3,  4  and  42. 

ScoNi^')  =  ^conIs)  by  Claims  3,  11,  12,  32,  33,  and  42. 


Case  2:  st  ^  find. 

Anot(^\‘^)  =  ReceiveNotify{{q,p),l,c).  Az{s','jv)  is  empty  for  all  other  x. 
Claims  about  s': 

I.  initiate(/,c, found)  is  at  the  head  of  queuep({q, p)),  by  precondition. 

2-  (Pi?)  £  3ubiree(f),  by  Claim  1  and  NOT-H(e). 

3.  nlevel{p)  <  I,  by  Claim  1  and  NOT-H(a). 

4.  nlevel{p)  <  level{f),  by  Claims  1,  2  and  3. 

5.  p  ^  minnode{f),  by  Claims  1  and  2  and  NOT-I. 

6.  If  l3tatv.s{{p,r))  =  branch,  then  (p,r)  £  subtTee{f),  for  all  r  ^  g,  by  Claim  5  and 
TAR-A(a). 

7.  If  (p,  r)  G  subtree{f),  then  lstatus{{p,  r))  =  branch,  for  all  r  ^  g,  by  TAR-A(b). 

8.  p  is  not  up-to-date,  by  Claim  4  and  GHS-I. 

9.  nstatu3{p)  ^  find,  by  Claim  8  and  DC-I{a). 

10.  (p,  g)  ^  core(f],  by  Claim  1  and  GHS-E. 

II.  AfterMcTge{p,q)  for  NOT  is  not  enabled,  by  Claim  10. 

By  Claim  9,  dcstatus{p)  —  unfiud  in  both  s'  and  s,  and  thus  minlink{f)  is 
unchanged.  The  changes,  or  lack  of  changes,  to  the  remaining  derived  variables  are 
obvious. 

By  Claims  1  and  11,  ReceiveNotify{{q, p) ,1,  c)  is  enabled  in  Snot{s')-  Its  effects 
are  mirrored  in  Si^roris)  by  Claims  6  and  7. 

It  is  easy  to  see  that  Sz{s')  =  Sz{s)  for  all  other  x. 


(3a)  GHS-A:  By  DC-D(a),  (p,  g)  G  subtree(f).  So  by  GHS-A(a),  nstatu3{p)  ^ 
sleeping  in  s'.  Since  the  same  is  true  in  .<<,  the  predicate  is  vacuously  true. 
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GHS-B:  Vacuously  true  for  a  connect  in  queue{{q,p))  by  GHS-B(a)  and  the 
fact  that  INITIATE  is  first  in  the  queue.  Vacuously  true  for  a  co^NECT  in  queue.[{p,  q) ) 
by  GHS-B(b)  and  the  presence  of  initiate  in  queue((q,p)).  The  only  other  situation 
to  consider  is  the  addition  of  an  initiate  message  to  queue({p,r)),  r  ^  q,  with 
lstatus{{p,r))  =  branch.  As  shown  in  (b)/(c),  (p, r)  6  subtree{f).  By  NOT-H(e), 
either  {p,q)  =  core(f)  or  p  is  a  child  of  q,  so  (p,r)  ^  core(f).  Thus  by  CON-E,  no 
connect  is  in  queue({p,r)),  or  in  queue({r,p)). 

GHS-C:  Adding  a  find  message  does  not  falsify  the  predicate.  Suppose  a  test 
message  is  added  to  queue{{p,r)).  Then  in  s',  st  —  find. 

Case  1:  (p,r)  is  an  internal  link  of  /.  By  TAR-A(b),  (p,r)  ^  subtree{f).  By 
COM-F,  (p, r)  ^  core(f).  By  CON-E,  no  connect  is  in  queue({p,r)). 

Case  2:  (p,  r)  is  an  external  link  of  /.  Since  there  is  a  find  message  in  subiree(f) 
in  s',  minlink{f)  =  nil.  By  CON-D,  no  connect  is  in  queue({p,r)). 

GHS-D:  Since  it  is  true  for  the  INITIATE  in  queue{{q,p))  in  s',  it  is  true  for  any 
INITIATE  added  in  s. 

GHS-E:  As  shown  in  GHS-B,  (p,r)  ^  core{f). 

GHS-F:  By  NOT-H(a),  nlevel{p)  increases,  so  the  predicate  is  still  true  for  any 
leftover  test  messages.  The  predicate  is  true  by  code  for  the  test  message  added. 

GHS-G:  Case  1:  An  accept  is  in  queue({p,r)).  By  NOT-H(a),  nlevel{p)  in¬ 
creases,  so  the  predicate  is  still  true. 

Case  2:  An  accept  is  in  queue({r,p)).  By  TAR-D,  testlink{p)  =  {p,r).  By" 
GHS-H,  nstatus{p)  =  find.  But  by  Claim  9  (for  both  Case  1  and  Case  2  of  (3b)/(3c)), 
nstatus{p)  ^  find.  So  there  is  no  ACCEPT  in  queue{{r.p)),  and  the  predicate  is 
vacuously  true. 

GHS-H  is  true  by  code. 

GHS-I:  Case  1:  st  =  find.  By  code  nlevel{p)  —  I,  and  by  Claim  32  in  Case  1  of 
(3b)/(3c),  /  =  levelif). 

Case  2:  st  ^  found.  By  NOT-H(a),  nlevel{p)  <  1.  Thus  nlevel{p)  <  level{f), 
so  by  GHS-I,  p  is  not  up-to-date  in  s'.  Since  all  inbranches  remain  the  same  in  .s 
and  nstatus{p)  ^  find  in  s,  p  is  still  not  up-to-date. 
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GHS-J:  Cast  1:  st  =  find.  By  Claim  37  in  Case  1  of  (3b)/(3c),  p  ^  testset{f) 
in  s  if  and  only  if  there  is  no  external  link  of  p,  so  the  predicate  is  vacuously  true. 

Case  2:  st  ^  find.  As  in  GHS-I,  Case  2,  p  is  not  up-to-date,  so  the  predicate 
is  vacuously  true. 

vii)  TT  is  ReceiveTest((q,p),l,c).  Let  f  =  fragTnent{p). 

Case  1:  nstatus{p)  =  sleeping  in  s'. 


(3b)/(3c)  AxARis' =  ChangeRoot{f)  t  tt,  where  t  is  the  same  as  StarI^') 
except  that  rootchanged{f)  —  true  and  lstatus(minlink{f))  =  branch  in  t. 

Axis', tt]  =  ChangeRoniif)  for  all  other  x. 

Claims  about  s' : 

1.  TEST(/,c)  is  at  the  head  of  queuep{{q.p)),  by  pi'econdition. 

2.  nstatusip)  —  sleeping,  by  assumption. 

3.  subtree(f)  =  {p},  by  Claim  2  and  GHS-A. 

4.  minlinkif)  ^  nil,  by  Claim  3  and  definition. 

5.  rootchangedif)  =  false,  by  Claim  2,  GHS-A(c)  and  TAR-H. 

6.  levelif)  =  0,  by  Claim  3  and  COM-F. 

7.  nlevelip)  =  0,  by  Claims  3  and  6. 

S.  /  >  1,  by  TAR-M. 

9.  I  >  nlevelip),  by  Claims  7  and  8. 

10.  I  >  levelif),  by  Claims  6  and  8. 

11.  awake  =  true,  by  Claim  1  and  GHS-A(b). 

Claims  ahoxit  s: 

12.  The  TEST  message  is  requeued,  by  Claim  9. 

13.  Isiatusi  minlinkif))  =  branch,  by  code. 

14.  CONNECT(O)  is  in  queueiminlinkif)),  by  code. 

15.  minlinkif)  does  not  change  (i.e.,  is  still  external),  by  Claims  13  and  14. 

16.  rootchangedif)  =  true,  by  Claims  14  and  15. 

ChangeRootif)  is  enabled  in  S^is')  by  Claims  11,  3  and  5  for  x  =  CON ,  and 
Iry  Claims  11,4  and  5  for  all  other  x. 

TAR:  Effects  of  ChangeRootif)  are  mirrored  in  t  by  its  definition,  tt  is  enabled 
in  t  by  definition.  Its  effects  are  mirrored  in  <Fxy4/?(s)  by  Claim  12. 

147 


1 


Section  4.2.7:  GHS  Simultaneously  Simulates  TAR,  DC,  NOT,  CON 


For  all  other  x,  the  effects  of  C}tanqeRooi(f)  are  mirrored  in  Si{s)  lu'  Claim 
IG  for  DC  and  NOT,  and  by  Claim  14  for  CON. 


(3a)  Pghs  is  true  in  s  by  essentially  the  same  argument  as  in  tt  =  Start(p). 
Case  2. 


Case  2:  nstatus{p)  ^  sleeping  in  s' . 

(3b)/(3c)  AT.AR{s‘,Tr)  =  TT  if  /  <  nlevel(p)  or  nlevel{p)  =  level{f)  in  s' .  and  is 
empty  otherwise. 

^Dc(s*,7r)  =  TestNode(p)  if  I  <  nlevel(p),  c  =  nfrag{p),  testlink(p)  —  {p,q) 
and  lstatus{{p,r))  ^  unknown  for  all  r  ^  q,  in  s',  and  is  empty  otherwise. 

Az{s',Tr)  is  empty  for  all  other  x. 

First  we  discuss  what  happens  to  testset{f)  and  minlink{f). 

We  show  test3et(f)  is  unchanged,  except  that  p  is  removed  from  testsetif)  if 
and  only  if  I  <  nlevel{p),  c  =  nfrag{p),  tcstlink(p)  =  {p,q),  and  there  is  no  link 
(p,  r),  r  q,  with  lstatus{{p,r))  -  unknown.  If  tesilink{p)  does  not  change  from 
non-nil  to  nil  (or  vice  versa),  then  obviously  testset{f)  is  unchanged.  The  only 
place  testlink{p)  is  changed  in  this  way  is  in  procedure  Test{p),  exactly  if  there 
are  no  more  unknown  links  of  p;  Tesi(p)  is  executed  if  and  only  if  I  <  nlevel(p), 
c  —  nfrag{p).  and  testlink{p)  =  {p^q)  in  s'.  Suppose  testlink(p)  is  changed  from 
non-nil  to  nil.  Since  testlink{p)  ^  nil  in  s' ,  GHS-M  implies  that  no  find  message  is 
headed  toward  p,  and  no  CONNECT  message  is  in  queue{{r,t)),  where  {r,t)  =  core{  f) 
and  p  €  subi.ree{r).  Thus  in  s.  since  testlink(p)  —  nil,  p  is  not  in  testset{f). 

Now  we  show  that  minlink{  f)  does  not  clnange.  If  dcstatus{p)  does  not  change, 
and  no  report  message  is  added  to  any  qiu'ue.  then  obviously  minlink{  f)  does  not 
change.  Suppose  dcstatus{p)  changes,  and  a  REPORT  message  is  added  to  a  queue  (in 
procedure  Report(p)).  Then  I  <  nlevcl(p).  c  =  nfrag{p),  testlink{p)  =  {p,q),  there 
are  no  more  unknown  links  of  p  (so  testlink{p)  is  set  to  nil),  and  findcount{p)  =  0. 

Claims  about  .s'.- 

1.  te.'<ilink(p)  =  {p~q)-  by  assumption. 
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2.  nstatu3{p)  —  find,  by  Claim  1  and  GHS-H. 

3.  Tninlink{f)  =  nil,  by  Claim  2. 

4.  If  (p, r)  =  core{f),  then  a  find  message  is  in  queue{{p,r)),  or  dcstatus{r)  =  find, 
or  a  REPORT  message  is  in  queue({r,p)),  by  Claim  2  and  DC-J. 

5.  p  is  up-to-date,  by  Claim  2  and  DC-I(a). 

Claims  about  s: 

6.  If  p  ^  mw-root{f),  then  either  there  is  no  external  link  of  /,  or  a  report  is 
headed  toward  mw-rooi{f),  by  Claim  5  and  code. 

7.  If  p  =  m‘w-Toot{f),  then  either  a  find  is  in  queue({p,r)),  or  dcstatus(r)  =  find, 
or  a  REPORT  is  in  queue{{r,p)),  where  core(f)  =  (p,  r),  by  Claim  4  and  code. 

8.  minlink(f)  =  nil,  by  Claims  6  and  7. 

Claims  3  and  8  give  the  result. 

TAR:  First,  suppose  I  >  nlevel{p)  and  nlevel(p)  ^  level(f). 

Claims  about  s' : 

1.  I  >  nlevel{p),  by  assumption. 

2.  nlevel[p)  ^  level{f),  by  assumption. 

3.  p  is  not  up-to-date,  by  Claim  2  and  GHS-I. 

4.  nstatus{p)  ^  find,  by  Claim  3  and  DC-I(a). 

5.  testlink{p)  =  nil,  by  Claim  4  and  GHS-H. 

6.  There  is  no  protocol  message  for  {p,q),  by  Claim  5  and  TAR-D. 

7.  The  TEST  message  in  queue({q,p))  is  a  protocol  message  for  {q,p),  by  Claim  6. 

8.  testlink{q)  =  {q,p},  by  Claim  7  and  TAR-D. 

9.  There  is  exactly  one  protocol  message  for  {q,p),  by  Claim  8  and  TAR-C(c). 

10.  There  is  only  one  test  message  in  tarqueue{{q,p)),  by  Claim  9. 

■"/  Claims  6  and  10,  the  test  is  the  only  TAR  message  in  tarqueue{{q,p)). 
Si  --e  the  TEST  message  is  requeued  in  GHS,  tarqueue{{q,p))  is  unchanged.  By 
earlier  remarks  about  testset{f)  and  minlink{j),  and  by  inspection,  the  other  derived 
variables  (for  TAR)  are  unchanged.  Thus,  StarW)  =  Star{^)'< 

Second,  suppose  I  >  level{p)  and  nleve-l{p)  =  level(  f).  Then  the  TEST  mes¬ 
sage  is  requeued  in  GHS  and  in  TAR.  By  earlier  remarks  about  testlink{  f)  and 
minliukif),  and  by  inspection,  STAR{s')nSTAR{-^)  ^  execution  fragment  of  TAR. 


Third,  suppose  I  <  nlevel{p).  Let  g  =  fragment{q). 
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Claims  about  s' : 

1.  test(/,c)  is  at  the  head  of  queuep({q,p)),  by  precondition. 

2.  /  <  nlevel[p),  by  assumption. 

3.  If  lstatus{{q,p))  ^  rejected,  then  c  =  core{g)  and  ^  =  level{g),  by  Claim  1  and 
TAR-E(b). 

4.  If  lstatus{{q,p))  =  rejected,  then  c  —  core(f)  and  I  =  level(f),  by  Claim  1  and 
TAR-E(c). 

5.  c  ^  nil,  by  Claim  1  and  TAR-M. 

Next  we  show  that  c  =  core(f)  if  and  only  if  c  =  nfTag(p).  First,  suppose 
c  =  core(f). 

6.  c  =  core{f),  by  assumption. 

7.  If  lstatus({q,p))  =  rejected,  then  nleve}{p)  =  level{f),  by  Claims  2  and  4  and 
definition  of  level(f). 

8.  If  lstatus{{q,p))  ^  rejected,  then  core(g)  =  core{f),  by  Claims  3  and  6. 

9.  If  l3tattLs{{q,p))  ^  rejected,  then  c  G  subtree{g)  and  c  G  subtree{f),  by  Claims  5, 
6  and  8  and  COM-F. 

10.  If  lstatus{{q,p))  ^  rejected,  then  /  =  y,  by  Claim  9  and  COM-G. 

11.  If  lstatus{{q,p))  ^  rejected,  then  I  =  level(f),  by  Claims  3  and  10. 

12.  If  lstatus({q,p))  ^  rejected,  then  nlev€l(p)  =  hvel{f),  by  Claims  2  and  11  and 
definition  of  level{f). 

13.  nlevel(p)  —  level(f),  by  Claims  8  and  12. 

14.  nfrag(p)  =  core{f),  by  Claim  13  and  NOT-A. 

15.  nfrag{p)  =  c,  by  Claims  6  and  14. 

Now  suppose  c  —  nfrag(p). 

16.  c  =  nfrag{p),  by  assumption. 

17.  c  G  3ubtree(f),  by  Claims  5  and  16  and  NOT-F. 

18.  If  lstatus{{q,p))  ^  rejected,  then  c  G  subiree{g),  by  Claims  5  and  3  and  COM-F. 

19.  If  lstatus{{q,p))  ^  rejected,  then  /  =  Jf,  by  Claims  17  and  18  and  COM-G. 

20.  If  lstatu3{{q,p})  ^  rejected,  then  c  =  core{f),  by  Claims  3  and  19. 

21.  c  =  core(f),  by  Claims  4  and  20. 

7r  is  enabled  in  Star(s')  by  Claim  1.  We  now  verify  that  the  effects  are  mirrored 
in  Star{s)-  By  the  above  argument,  c  /  fragip)  if  and  only  if  c  ^  core(f).  Thus, 
the  body  of  ReceiveTestiox  TAR  is  simulated  correctly.  Consider  procedure  Tesi{p). 
If  it  is  executed,  then  c  =  nfrag(p)  in  s'.  By  Claim  21,  nfrag(p)  =  core{f),  and  by 
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NOT-E,  nlevel{p)  =  level{f).  Thus  the  TEST  messages  sent  in  procedure  Test{p) 
in  GHS  correspond  to  those  sent  in  TAR.  By  the  discussion  at  the  beginning  of 
Case  2,  testset{f)  is  updated  correctly,  and  minlink{f)  is  unchanged.  The  changes 
or  lack  of  changes  to  the  other  derived  variables  are  obvious. 

DC:  First,  suppose  I  <  nlevel(p),  c  =  nfrag(p),  testlink(p)  =  {p,q),  and 
lstatus({p,r))  ^  unknown  for  all  r  ^  q,  in  s'. 

Claims  aboxd  s' : 

1.  TEST(/,c)  is  at  the  head  of  queuep({q,p)),  by  precondition. 

2.  I  <  nlevel{p),  by  assumption. 

3.  c  =  nfrag(p),  by  assumption. 

4.  testlink^p)  =  {p,q),  by  assumption. 

5.  lsiatus{{p,r))  ^  unknown,  for  all  r  ^  q,  by  assumption. 

6.  p  6  iestset{f),  by  Claim  4  and  TAR-C(b). 

7.  minlink{f)  =  nil,  by  Claim  6  and  GC-C. 

8.  If  lstatus{{p,r))  ~  branch,  then  (p, r)  6  su6iree(/),  for  all  r  q,  by  Claim  7  and 
TAR-A(a). 

9.  If  lstaius({p,q))  =  rejected,  then  fragmeni{r)  =  /,  for  all  r  7^  g,  by  TAR-B. 

10.  c  =  core(f),  by  Claims  1,  2  and  3  and  the  argument  just  given  for  TAR. 

11.  fragment(q)  =  /,  by  Claims  1  and  10  and  TAR-N. 

12.  There  is  no  external  link  of  p,  by  Claims  8,  9,  11  and  5. 

13.  nstatvs{p)  —  find,  by  Claim  4  and  GHS-H. 

TestNode{p)  is  enabled  in  Sdc{s')  by  Claims  6,  12  and  13.  Its  effects  are 
mirrored  in  Sdc(^)  by  the  earlier  discussion  about  testset{f)  and  minlink{f)  and 
by  Claim  12.  (The  disposition  of  the  rest  of  the  derived  variables  should  be  obvious.) 

Now  suppose  I  >  nlevel{p)  or  c  ^  nfrag(p)  or  testlink{p)  ^  (p,  q)  or  there  is  a 
link  (p, r)  with  lstatus{{p,r))  =  unknown  and  r  ^  q.  Then  Spcis')  =  Spcis)  by 
inspection  and  earlier  discussion  of  testset(f)  and  minlink{f). 

NOT  and  CON:  We  want  to  show5i:(s')  =  Sx{s)  for  x  =  NOT  and  CON. 
The  only  derived  variables  for  these  two  that  are  not  obviously  unchanged  are 
minlink(f)  and  rootchanged(f).  (Because  of  the  presence  of  the  TEST  message  in 
qaeue{{q, p) ,  GHS-A(b)  implies  that  avmke  =  true  in  s',  so  changes  to  nstatus{p)  do 
not  change  awake.)  Since  we  already  showed  minlink{f)  is  unchanged,  it  is  obvious 
that  rooteha.ngr.d)  f)  is  unchanged. 
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(3a)  GHS- A  is  vacuously  true  by  the  assumption  that  nstatus(p)  sh'epinp;. 

GHS-B:  First  we  show  that  if  the  hypotheses  of  this  predicate  are  false  for  a 
link  in  s',  then  they  are  still  false  in  s.  The  only  way  they  could  go  from  false 
to  true  is  by  lstatus{{p,q))  going  from  unknown  to  rejected.  But  since  test  is  in 
queue({q,p))  in  s',  by  GHS-C  no  CONNECT  is  in  queue{{q,p))  in  s',  or  in  s. 

Now  we  show  that  the  state  changes  do  not  invalidate  (a)  through  (d)  for  a 
link,  assuming  that  the  hypotheses  are  true  for  that  link  in  .s'. 

Case  A:  TEST  is  requeued.  No  change  affects  the  predicate. 

Case  B:  accept  or  reject  is  added  to  queue{{p,q)).  We  already  showed  that 
no  CONNECT  is  in  queue{{q,p)).  Because  of  the  TEST  in  queue({q,p)),  the  precondi¬ 
tions  of  the  predicate  are  not  true  for  a  CONNECT  in  queue{{p,q))  in  s'. 

Case  C:  TEST  is  added  to  some  queue{{p,r)).  Since  lsi,a.tu.'<{{p,r))  —  unknown, 
the  preconditions  are  not  true  in  s'  for  a  connect  in  queue({r,p)).  Since  the  test 
is  added,  iestlink{p)  =  (P(<z}  in  s'.  By  GHS-H,  nstatusip)  =  find  in  s'.  So  by 
GHS-B(c),  the  preconditions  are  not  true  in  s'  for  a  connect  in  qxieue({p,r)). 

Case  D:  REPORT  is  added  to  qneue(inbranch{p)).  Let  (p,  r)  =  inbranch{p)  in  s'. 
As  in  Case  3,  the  predicate  Is  vacuously  true  for  a  CONNECT  in  queue{{p,r)).  As  in 
Case  3,  nstatus(p)  =  find  in  s',  so  p  is  up-to-date  by  DC-I(a).  By  GHS-I,  nlevtl{p)  — 
level{f).  Since  by  DC-L,  {p,r)  G  subtree{f),  there  cannot  be  an  lNiTlATE(n/et;c/(p)-f 
1,  +,+)  message  in  queue{{r,p)).  By  GHS-B(a),  the  preconditions  are  not  true  for  a 
CONNECT  in  quexi.e{{r,p)). 

GHS-H:  By  code. 

GHS-J:  If  p  is  removed  from  f.c.'tt.sr.t.(f),  then  as  in  Claim  12  of  (3b)/(3c)  for 
DC,  there  is  no  <'xternal  link  of  p. 

GHS-C:  Case  1:  reject  is  added  to  queue{{p,q)).  Then  /  <  nlevel{p),  c.  = 
nfrag(p),  and  testlink[p)  ^  {p,q))  in  .s'.  As  argued  in  Leniina  17,  verifying  (3c)  of 
Case  1  for  tt  =  BeceivcTcst,  {p,q)  is  an  internal  link  of  /.  By  TAR-E(a),  {p,q)  ^ 
c.ore(f),  so  by  CON-E,  no  CONNECT  is  in  queue{{p,q)). 

Case  2:  TEST  is  added  to  queue{{p,r)).  Then  in  .s',  /  <  nlevcl(p).  c  =  nfragip). 
f.e.stlink{p)  —  {p,q),  nnd  l■statu.<<{{p,r))  —  unknown. 
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Case  2a:  (p,  r)  is  an  internal  link  of  /.  By  TAR-A(b),  (p,  r)  ^  subtree{f).  By 
COM-F,  (p.  r)  core{f).  By  CON-E,  no  CONNECT  is  in  queue{{p,r)). 

Case  2b:  {p,r)  is  an  external  link  of  /.  By  GHS-H,  nstaius(p)  =  find.  Thus 
minlink{f)  =  nil.  By  CON-D,  no  connect  is  in  queue{{p,r)). 

GHS-G:  Suppose  accept  is  added  to  queue{{p,q)).  Then  I  <  nlevel(p)  in  s'.  As 
argued  in  Lemma  17,  verifying  TAR-F  for  tt  =  ReceiveTest,  I  =  level{fragment{q)) . 
By  GHS-F,  I  <  nlevel{q).  So  I  =  nlevel{q). 

No  changes  affect  the  rest. 

viii)  TT  is  ReceiveAccept((q,p)).  Let  /  =  fragment{p). 

(3b)/(3c)  ATAR(5',7r)  =  TT.  ADc(s',n)  =  TesiNode{p).  A^is',!:)  is  empty  for 
all  other  x. 

An  argument  similar  to  that  used  in  ;r  =  ReceiveTest({q, p) ,  I,  c).  Case  2,  shows 
that  minlink{f)  is  unchanged. 

TAR:  Claims  about  s' : 

1.  ACCEPT  is  at  the  head  of  queuep{{q,p)),  by  precondition. 

2.  There  is  a  protocol  message  for  {p,q),  by  Claim  1. 

3.  testlink{p)  =  {p,q),  by  Claim  2  and  TAR-D. 

4.  No  FIND  message  is  headed  toward  p,  by  Claim  3  and  GHS-M. 

5.  No  CONNECT  message  is  in  queue({r,t)),  where  (r,t)  =  core{f)  andp  G  subtree{r), 
by  Claim  3  and  GHS-M. 

Claims  about  s: 

6.  testlink[p)  =  nil,  by  code. 

7.  No  FIND  message  is  headed  toward  p,  by  Claim  4. 

8.  No  CONNECT  message  is  in  (j'ue'Me((r,<)),  where  (r,<)  =  cc»re(/)  and  p  G  subtree{r), 

by  Claim  5  and  code. 

9.  p  ^  tests et{f),  by  Claims  6,  7  and  8. 

TT  is  enabled  in  Staf{^')  by  Claim  1;  its  effects  are  mirrored  in  Star{^)  by 
Claims  6  and  9,  and  discussion  of  minlink{f).  (The  disposition  of  the  remaining 
derivc<l  variables  should  lie  obvious.) 


DC:  Mo  re.  Claims  about  s' : 
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10.  p  G  tesUet{f),  by  Claim  3. 

11.  Tninlink(f)  =  nil,  by  Claim  10. 

12.  fragment{q)  ^  f,  by  Claim  1  and  TAR-F. 

13.  level{f)  <  level(fragmeni{q)),  by  Claim  1  and  TAR-F. 

14.  lstatus{{p,q))  ^  branch,  by  Claims  11  and  12  and  TAR-A(a). 

15.  (p,  g)  is  the  minimum-weight  external  link  of  p  with  hiatus  unknown,  by  Claims 
3  and  14  and  TAR-C(d). 

16.  If  lstatus{{p,r))  =  rejected,  then  (p, r)  is  not  external,  for  all  r,  by  TAR-B. 

17.  If  lstatus{{p,r))  =  branch,  then  (p,  r)  is  not  external,  for  all  r,  by  Claim  11  and 
TAR-A(a). 

18.  If  (p, r)  is  external,  then  lstatus{{p,r))  =  unknown,  for  all  r,  by  Claims  16  and 
17. 

19.  (p,  q)  is  the  minimum-weight  external  link  of  p,  by  Claims  15  and  18. 

20.  nsiaius{p)  =  find,  by  Claim  3  and  GHS-H. 

TesiN ode{p)  is  enabled  in  Sdc{s')  by  Claims  10,  19  and  13,  and  20.  Its  effects 
are  mirrored  in  Soci^)  Claims  9,  19  and  6. 

NOT  and  CON:  It  is  easy  to  verify  that  Sxis')  =  «5r(s)  for  x  =  NOT  and 
CON. 


(3a)  GHS-A.  By  Claim  20,  vacuously  true  in  s. 

GHS-B:  Suppose  a  report  message  is  added  to  queue{{p,r))  in  s.  Let  (p,  r)  = 
inbranch{p).  By  Claim  20  and  DC-I(a),  p  is  up-to-date  in  s'.  By  GHS-I,  nlevel{p)  = 
level(f).  By  DC-L,  (p,  r)  6  subtree{f),  so  no  lNITJATE(nlevel(p)  +  1,*,*)  can  be  in 
queue{{p,r))  or  que.ue( {r , p) ) .  By  GHS-B(a),  the  preconditions  for  a  connect  in 
queue{{p,  r) )  or  queue{{r,p))  are  not  true  in  s',  or  in  s. 

GHS-H;  By  code,  te.HUvMp)  =  nil. 

GHS-J;  By  Claim  19  and  GHS-G. 

No  changes  affect  the  rest. 

ix)  TT  is  ReceiveReject((q,p)).  Let  /  =  fragment(p). 


(3b)/(3c)  ATAR{s',n)  =  TT. 
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=  TestNode{p)  if  there  is  no  r  ^  5  such  that  lstatus({p,r))  =  un¬ 
known  in  s,  and  is  empty  otherwise. 

'dx.(s',7r)  is  empty  for  all  other  x. 

An  argument  similar  to  that  in  tt  =  ReceiveTest{{q,p),l,c),  Case  2,  shows  that 
minlink{f)  is  imchanged. 

TAR-.  Claims  about  s': 

1.  REJECT  is  at  the  head  of  queuep{{q,p)),  by  precondition. 

2.  There  is  a  protocol  message  for  {p,q),  by  Claim  1. 

3.  testlink{p)  =  [p,  q),  by  Claim  2  and  TAR-D. 

4.  No  FIND  message  is  headed  toward  p,  by  Claim  3  and  GHS-M. 

5.  No  CONNECT  message  is  in  queue{{r  ,t)),  where  (r,t)  =  core{f)  and  p  G  subtree{r), 
by  Claim  3  and  GHS-M. 

6.  nstatus{p)  =  find,  by  Claim  3  and  GHS-H. 

7.  nlevel{p)  =  level{f),  by  Claim  6,  DC-I(a)  and  GHS-I. 

8.  nfrag{p)  =  core(f),  by  Claim  7  and  NOT-A. 

Claims  about  s: 

9.  If  there  is  no  link  {p,r)  with  lstatus{{p,r))  =  unknown  (in  s'),  then  testlink{p)  = 
nil  (in  s),  by  code. 

10.  No  FIND  message  is  headed  toward  p,  by  Claim  4. 

11.  No  CONNECT  message  is  in  queue{{r,t}),  by  Claim  5. 

12.  If  there  is  no  link  {p,  r)  with  lstatus{  {p,  r))  =  rmknown  (in  s'),  then  p  ^  testset{f) 
(in  s),  by  Claims  9,  10  and  11. 

TT  is  enabled  in  Star{s')  by  Claim  1.  Its  effects  are  mirrored  in  Star{s)  by 
Claims  9,  12,  7  and  8,  and  earlier  discussion  of  minlink{f). 

DC'.  If  there  is  a  link  {p,r)  such  that  lstatus{{p,r))  =  unknown  and  r  ^  q, 
then  it  is  easy  to  check  that  Sdc{s')  =  Sdc{s).  Suppose  there  is  no  unknown  link 
(other  than  {p,q)). 

More  claims  about  s'  : 

13.  lstatus{{p,r))  ^  unknown,  for  all  r  7^  q,  by  assumption. 

14.  rninlink{  f)  =  nil,  by  Claim  G. 

15.  If  lstatu.'<({p,r))  —  branch,  then  {p,r)  G  subtree(f),  for  all  r  ^  q,  hy  Claim  14 
and  TAR-A(a). 
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16.  If  lstatus{{p,r))  =  rejected,  then  fragineni{r)  =  /,  for  all  r  ^  by  TAR-B. 

17.  fragTnent(q)  =  /,  by  Claim  1  and  TAR-G. 

18.  There  are  no  external  links  of  p,  by  Claims  13,  15,  16  and  17. 

19.  p  €  testset{f),  by  Claim  3  and  TAR-C(b). 

TestNode{p)  is  enabled  in  Soci^')  by  Claims  19,  18  and  6.  Its  effects  are 
mirrored  in  <Sdc("S)  by  Claims  9  and  12. 

NOT  and  CON:  It  is  easy  to  show  that  5i(s')  =  Sx{s)  for  x  =  NOT  and 
CON. 


(3a)  GHS-A:  Vacuously  true  by  Claim  6. 

GHS-B:  Either  a  test  or  a  report  message  is  added.  The  argument  is  very 
similar  to  that  in  tt  =  ReceiveTe3t{{q,p),l,c),  Case  2  of  (a). 

GHS-C:  Only  affected  if  a  test  is  added.  The  argument  is  very  similar  to  that 
in  TT  =  ReceiveTest({q,p),l,c),  Case  2  of  (a). 

GHS-H:  The  argument  is  very  similar  to  that  in  tt  =  ReceiveTest{{q,p),l,c), 
Case  2  of  (a). 

GHS-I:  Suppose  p  is  removed  from  te3tsei(f).  By  Claim  12,  this  only  happens 
when  there  are  no  more  unknown  links.  By  Claim  18,  p  has  no  external  links  if 
there  are  no  more  unknown  links. 

No  changes  affect  the  rest. 

x)  TT  is  ReceiveReport((q,p},w).  Let  /  =  fTagment{p). 

(3b)/(3c)  Case  1:  {p,q)  =  coTe(f),  nstatu3{p)  ^  find  and  w  >  hestwt(p)  in 
s'.  This  case  is  divided  into  two  subcases;  first  we  prove  some  claims  true  in  both 
subcases.  Let  {r,t)  be  the  minimum-weight  external  link  of  /  in  s'.  (Below,  we 
show  it  exists.) 

Claims  about  s'  : 

1.  REPORT(te)  is  at  the  head  of  queue{{q,p)),  by  assumption. 

2-  (PiS)  =  core(/),  by  assumption. 

3.  nstaiu3(p)  ^  find,  by  assumption. 
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4.  w  >  bestwt{p),  by  assumption. 

5.  ReceiveReport{{q, p) ,  w)  is  enabled  in  SDci^*)i  by  Claim  1. 

6.  ComputeMin{f)  (for  GC)  is  enabled  in  Si{SDc{^'))i  by  Claims  2,  3,  4  and  5  and 
argument  in  proof  of  Lemma  19,  Case  1  of  verifying  (3c)  for  tt  =  ReceiveReport. 

7.  minlink{f)  =  nil,  by  Claim  6. 

8.  accmin{f)  ^  nil,  by  Claim  6. 

9.  testset{f)  =  0,  by  Claim  6. 

10.  ComputeMin{f)  (for  COM)  is  enabled  in  S2{S4{S dc{s'))),  by  Claim  6  and 
argument  in  proof  of  Lemma  15,  verifying  (3c)  for  tt  =  ComputeMin. 

11.  level(f)  <  level(fragmeni(t)),  by  Claim  10. 

12.  accmin{f)  =  (r,<),  by  Claims  8  and  9  and  GC-A. 

13.  r  is  up-to-date,  by  Claim  9,  DC-N,  and  choice  of  {r,t). 

14.  nltvtl{r)  =  level{f),  by  Claim  13  and  GHS-I. 

15.  nlevel{f)  <  nlevel{t),  by  Claims  9  and  13  and  GHS-J. 

16.  No  CONNECT  message  is  in  either  queue  of  core{f),  by  Claim  9. 

17.  No  CONNECT  message  is  in  any  internal  queue  of  f,  by  Claim  16  and  CON-E. 

18.  inbranch(p)  =  (p,  ?),  by  Claims  1  and  2  and  DC-A(a). 

19.  p  is  up-to-date,  by  Claims  2,  9  and  18. 

20.  findcount(p)  =  0,  by  Claim  3  and  DC-H(b). 

21.  All  children  of  p  are  completed,  by  Claims  19  and  20  and  DC-K(a). 

22.  r  G  subtree{p),  by  Claims  1,  2,  3  and  4  and  DC-P(b). 

23.  Following  besilinks  from  p  leads  along  edges  of  subtTee{f)  to  {r,t),  by  Claims  9, 
19,  21  and  22,  choice  of  {r,t),  and  DC-K(b)  and  (c). 

The  following  remarks  apply  to  both  Subcase  la  and  Subcase  lb:  Compute- 
Min{f)  is  enabled  in  5j(s')  by  Claims  7,  8  and  9  for  x  =  TAR;  by  Claims  7,  14  and 
15  (and  definition  of  {r,t))  for  x  =  NOT-,  and  by  Claims  7,  11  and  17  for  x  =  CON. 
TT  is  obviously  enabled  in  Sdc{s')- 


Subcase  la:  lstatus{bestlink{p))  =  branch.  Adc(^\t)  =  tt.  Aj;(s',7r)  = 
ComputeMin{f)  for  all  other  x. 

More  Claims  about  s' : 

24.  lstaius{bestlink{p))  =  branch,  by  assumption. 

25.  bestlink{p)  G  subtree(f),  by  Claims  7  and  24  and  TAR-A(a). 

26.  p  ^  r  =  mw-minno(le{f),  by  Claims  23  and  25. 

Clann.-^  about  .s; 
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27.  The  effects  of  tt  are  reflected  in  by  code. 

28.  The  effects  of  ComputeMiri{f)  are  reflected  in  S4{Sdc{s)),  by  Claim  27  and 
argument  in  proof  of  Lemma  19,  Ca.se  1  of  verifying  (3c;  for  tt  =  RcceiveReport. 

29.  minlink{f)  =  {r,t),  by  Claims  28  and  12. 

30.  Following  bestlinks  from  p  leads  to  {r,t),  by  Claim  23. 

31.  tominlink{p)  =  bestlink{p),  by  Claims  30  and  24. 

32.  p  ^  minnode{f),  by  Claims  29  and  24. 

33.  p  =  root{f),  by  Claims  2,  22  and  29. 

By  Claims  3,  4  and  17,  procedure  ChangeRooi(p)  is  executed  in  GHS.  The 
effects  of  ComputeMin{f)  are  reflected  in  Sx{s)  by  Claims  29  and  12  for  x  =  TAR] 
by  Claim  29  and  choice  of  {r,t)  for  x  =  NOT]  and  by  Claims  29,  31,  32,  33  and 
choice  of  {r,t)  for  x  =  CON .  The  effects  of  tt  are  reflected  in  Sdc^^)  by  Claim  27. 


Subcase  lb:  lstatus{bestlink{p))  ^  branch. 

•^Dc{s' ,Tt)  =  TT  t^c  ChangeRooi(f),  where  toe  is  the  result  of  applying  tt  to 
Sods'). 

•^con{s'  ,Tr)  =  ComputeMin{f). 

For  all  other  x,  Ax{s',it)  =  ComputeMin(f)  tx  ChangeRooi{f),  where  tg  is  the 
result  of  applying  ComputeMin{f)  to  Sx{s'). 

More  claims  about  s' : 

34.  lstatus(bestlink(p))  ^  branch. 

35.  bestlink{p)  =  (r, <),  by  Claims  23,  34  and  7  and  TAR-A(b). 

36.  p  =  r  =  mw-minnodeyf),  by  Claim  35. 

37.  nstatus{q)  ^  sleeping,  by  Claim  1  and  GHS-A. 

38.  awake  =  true,  by  Claim  37. 

39.  rootchanged(f)  =  false,  by  Claim  7  and  COM-B. 

Claims  about  tx,  x  ^  CON : 

40.  If  X  =  TAR,  then  minlink{f)  =  {r,t),  by  Claim  12. 

41.  If  X  =  NOT,  then  minlink{f)  =  {r,t),  by  choice  of  {r,t). 

42.  If  X  =  DC,  then  minlink{f)  =  {r,t),  by  Claims  6  and  12  and  argument  in  proof 
of  Lemma  15,  verifying  (3c)  for  tt  =  ComputeMin. 
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43.  awake  =  true,  by  Claim  38. 

44.  rootchanged(f)  =  false,  by  Claim  39. 

The  effects  of  tt  are  mirrored  in  t^c  and  of  ComputeMin{f)  in  txAR  and  t^vor 
by  definition.  ChangeRooi(f)  is  enabled  in  by  Claims  40,  43  and  44  for  x  =  TAR; 
by  Claims  41,  43  and  44  for  x  =  NOT;  and  by  Claims  42,  43  and  44  for  x  =  DC. 

Claims  about  s: 

45.  minlink{f)  =  (r,<),  by  argument  in  proof  of  Lemma  19,  Case  1  of  verifying  (3c) 
for  TT  =  Receive  Rep  art. 

46.  lstatus{bestlink{p))  =  branch,  by  code. 

47.  lstatus{minlink{p))  =  branch,  by  Claims  35  and  45. 

48.  CONNECT  is  added  to  queue(bestlink(p)),  by  code. 

49.  rootchanged(f)  =  true,  by  Claims  45  and  48. 

The  effects  of  ChangeRooi(f)  are  mirrored  in  Sx{s}  by  Claims  47  and  49  for 
X  =  TAR;  by  Claim  49  for  x  =  DC  and  NOT.  The  effects  of  ComputeMin{f)  are 
mirrored  in  Scon{s)  by  Claims  36,  14  and  45. 


Case  2:  {p,q)  core{f)  or  nstatus{p)  =  find  or  xv  <  bestwt{p)  in  s'. 

=  TT.  >lx(s',7r)  is  empty  for  all  other  x. 

Subcase  2a:  {p,q)  ^  core{f)  in  s'.  Suppose  {p,q)  =  inbranch{p)  in  s'.  By  DC- 
B(b),  dcstatus{p)  =  unfind.  Thus,  the  only  effect  is  to  remove  the  report  message. 
Thus  Sdc(^')'>^Sdc(s)  is  an  execution  fragment  of  DC.  As  proved  in  Lemma  19, 
Case  2a  of  verifying  (3b)  for  tt  =  ReceiveReport,  minlink{f)  is  unchanged.  Thus 
<^1  (•;’')  =  <5i(s)  for  all  X  DC. 

Now  suppose  {p,q)  ^  inbranch{p). 

Claims  about  s' : 

1.  REPORT  is  at  head  of  queuei {q,p)),  by  precondition. 

2-  {p,q)  ^  coTe{  f),  by  assumption. 

3-  {Piq)  7^  inbranch{p),  by  assumption. 

4.  dcstatu.tip)  =  find,  by  Claims  1,  2  and  3  and  DC-A(g). 

5.  p  is  up-to-date,  by  Claim  4  and  DC-I(a). 

6.  q  is  a  child  of  p,  by  Claims  3  and  5. 
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7.  findcouni(p)  >  0,  by  Claims  1,  5  and  6  and  DC'-K(a). 

8.  No  KIND  message  is  headed  toward  p,  by  Claim  7  and  GHS-M. 

9.  No  CONNECT  is  in  queue{{i',t)),  where  {r,t)  =  core{f)  and  p  €  subtrce(r),  by 
Claim  7  and  GHS-M. 

10.  p  G  testsei{f)  if  and  only  if  tesUink{p)  ^  nil,  by  Claims  8  and  9. 

Obviously,  tt  is  enabled  in  Sdc{s')-  By  Claim  10  and  inspection,  the  effects 
of  TT  are  mirrored  in  Sdc{^)-  Since  the  proof  of  Lemma  19,  Case  2a  of  verifying 
(3b)  for  TT  =  ReceiveReport,  shows  minlink{f)  is  unchanged,  Sj:{s')  —  Sxis)  for  all 
r  ^  DC. 


Subcase  2b:  {p,q)  =  core(f)  and  nstatus(p)  =  find  in  s'.  Since  REPORt(u>)  is 
at  the  head  of  queue({q,p)),  DC-A(a)  implies  that  inbranch{p)  —  {p,q).  Thus,  the 
only  change  is  that  the  report  message  is  requeued.  Obviously  Sdc{s')':^Soc{^) 
is  an  execution  fragment  of  DC,  and  Sz{s')  =  Sx{s)  for  all  x  ^  DC. 

Subcase  2c:  {p,q)  =  core(f),  nstatus{p)  =  find  and  u>  <  bestwi{p)  in  s'.  As 
in  Subcase  2b,  inbTanch{p)  =  {p,q).  The  only  change  is  that  the  report  message 
is  removed.  Thus  Sdc{s')'!^Sdc{s)  is  an  execution  fragment  of  DC.  As  proved  in 
Lemma  19,  Case  2c  of  verifying  (3b)  for  n  =  ReceiveReport,  minlink{f)  is  unchanged 
in  s.  Thus  Sx{s')  =  5r(.s)  for  all  x  DC. 


(3a)  Case  1:  inbranch{p)  ^  {p,q). 

GHS-A:  By  DC-A(a),  {p,q)  ^  core(f).  By  DC-A(g),  dcstatus(p)  =  find.  The 
predicate  is  vacuously  true. 

GHS-B:  Only  the  addition  of  a  report  message  affects  this  predicate.  The 
argument  is  very  similar  to  that  in  tt  =  Receive Test{{q,p),  I,  c).  Case  2,  of  (3a). 

GHS-H:  By  code  (in  procedure  Report{p)). 

No  change  affects  the  rest. 


Case  2:  inbranch(p)  =  {p,q).  If  nstatus(p)  —  find  or  w  <  bestwt{p),  then  no 
change  affects  any  predicate.  Suppose  nstatus(p)  ^  find  and  u>  >  bestwt{p). 


I 
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GHS-A:  By  DC-B(a),  subtree{p)  ^  {p}.  By  GHS-A(a),  nsiatus(p)  ^  sleeping, 
so  the  predicate  is  vacuously  true. 

GHS-B:  Let  (p,  r)  =  bestlink{p)  in  s'.  If  lstatus{{p,  r) )  =  branch,  then  no  change 
affects  this  predicate.  Suppose  lstatus{{p,r))  ^  branch.  As  shown  in  (3b)/(3c), 
Claim  35  of  Case  lb,  bestlink(p)  is  the  minimum-weight  external  link  of  /.  Thus 
lstatus{{r,p))  ^  rejected  by  TAR-B,  and  if  lstatus({r,p))  =  branch,  then  there  is  a 
CONNECT  in  queue({r,p)).  So  the  predicate  is  vacuously  true  for  the  connect  added 
to  queue{{p,r)).  If  there  is  a  leftover  connect  in  queue({r,p)),  then  the  predicate 
is  vacuously  true  because  of  the  new  connect  in  queue{{p,r)). 

GHS-C:  Let  (p, r)  =  bestlink{p)  in  s'.  Since  bestlink(p)  is  external  (as  shown 
in  (3b)/(3c)),  no  reject  is  in  queue{{p,r))  by  TAR-G.  Also  since  it  is  external, 
lsiatus{{p,r))  ^  rejected  by  TAR-B.  Suppose  a  test  is  in  queue{{p,r)).  By  TAR- 
D,  iesilink{p)  =  (p,  r),  and  by  GHS-H,  nstatus{p)  =  find,  which  contradicts  the 
assumption  for  this  case.  Also  since  the  link  is  external,  no  find  is  in  queue{{p,  r)) 
by  DC-D(a). 

No  change  affects  the  rest. 

xi)  TT  is  ReceiveChangeRoot((q,p)). 

(3b)/(3c)  There  are  two  cases.  First  we  prove  some  facts  true  in  both  cases. 
Claims  about  s' : 

1.  CHANGEROOT  is  at  the  head  of  queue{{q,p)),  by  precondition. 

2.  minlink{f)  ^  nil,  by  Claim  1  and  CON-C. 

3.  rootchanged(  f)  =  false,  by  Claim  1  and  CON-C. 

4.  p  6  subtTee{q),  by  Claim  1  and  CON-C. 

5.  minnode{f)  G  stibtreeip),  by  Claim  1  and  CON-C. 

6.  nlevel{minnode{f))  =  ltvel{f),  by  NOT-D. 

7.  testset{f)  ~  0,  by  Claim  2  and  GC-C 

8.  minlink{f)  is  the  minimum- weight  external  link  of  /,  by  Claim  2  and  COM-A. 

9.  minnode(f)  is  up-to-date,  by  Claims  7  and  8  and  DC-N. 

10.  p  is  up-to-date,  by  Claims  5,  7  and  9. 

11.  No  REPORT  message  is  headed  toward  mw-root{f),  by  Claim  2. 

12.  No  REPORT  message  is  headed  toward  p,  by  Claims  4  and  11. 

13.  dcstatus{p)  =  unfind,  by  Claims  7  and  12  and  DC-I(b). 

14.  findcov.nt{p)  =  0,  by  Claim  13  and  DC-H(b). 
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15.  All  children  of  p  are  completed,  by  Claims  10  and  14  and  DC-K(a). 

16.  Following  besf.links  from  p  leads  along  edges  in  .tuhire.r.{  f)  to  the  minimum- weight 
external  link  of  subtree{p),  by  Claims  7,  10  and  15  and  DC-K(b)  and  (c). 


Case  1:  l3tatus{bestlmk(p))  ^  branch  in  s' . 

tt)  =  TT.  Axis', re)  =  ChangeRootif)  for  all  other  .r. 


More  claims  about  s' : 

17.  IstatiLsibestlinkip))  ^  branch,  by  assumption. 

18.  bestlink(p)  is  not  in  subtree{f),  by  Claim  17  and  TAR-A(b). 

19.  bestlink(p)  =  minlink(  f),  by  Claims  5,  8,  16  and  18. 

20.  nstatus{q)  ^  sleeping,  by  Claim  1  and  GHS-A(b). 

21.  awake  =  true,  by  Claim  20. 

Claims  about  s: 

22.  Istatusibestlink(p))  =  branch,  by  code. 

23.  CONNECT  is  in  queueibestlink{p)),  by  code. 

24.  MSF  does  not  change,  Claims  22  and  23. 

25.  bestlink{p)  =  minlink(f],  by  Claims  19  and  24. 

26.  rootchangedi  f)  =  true,  by  Claims  23  and  25. 

ChangeRootif)  is  enabled  in  Sxis')  by  Claims  2,  3  and  21,  for  all  x  ^  CON. 
The  effects  of  ChangeRootif)  are  mirrored  in  Sri-s)  by  Claims  22,  25  and  26  for 
.T  =  TAR-,  and  by  Claim  26  for  x  =  DC  and  NOT.  n  is  enabled  in  ScoNis')  by 
Claim  1;  its  effects  are  mirrored  in  ScoNi^)  by  Claims  6  and  19. 


Case  2:  htatus(bestlinkip))  —  branch  in  .s'. 

AcoNis' ,  tt)  =  n.  >lj.(s',7r)  is  empty  for  all  other  .r. 

More  Claims  about  s' : 

27.  Istatusibestlinkip))  =  branch,  by  assumption. 

28.  lstatu.i{minlinkif))  branch,  Ijy  Claim  3  and  TAR  H. 

29.  bestlinkip)  is  in  suhtree(f).  by  Claims  27  and  28  and  TAR-A(a). 
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30.  p  ^  minnode{  f),  by  Claims  16  and  29. 

31.  bestlink{p)  =  toTninlink{f),  by  Claims  8,  16  and  29. 

32.  nlevel{p)  =  level{f).  by  Claim  10  and  GHS-I. 

Obviously,  all  deri\'ed  (and  non-derived)  variables  are  unchanged,  except 
cqueue.'t.  Thus,  Sx{s')  =  Sx{s)  for  all  .r  ^  CON.  tt  is  enabled  in  Scon{-'^')  by 
Claim  1;  its  effects  are  mirrored  in  Sx(s)  by  Claims  30,  31  and  32. 


(3a)  GHS-A:  By  CON-C,  ip,q)  €  subtree{f).  By  GHS-A(a),  nstatus{p)  ^ 
sleeping  in  s',  so  the  predicate  is  vacuously  true  in  s. 

GHS-B:  Essentially  the  same  argument  as  in  tt  =  ReceiveReport(  {q,p),w),  Case 
2  of  (3a). 

GHS-C:  Essentially  the  same  argument  as  in  tt  =  ReceiveRepoTt{{q,  p) ,  tv),  Case 
2  of  (3a). 

No  change  affects  the  rest.  □ 

^GHS  —  Ar6/(-^x  o  <5i)  A  PghS- 
Corollary  26:  Pqhs  every  reachable  state  of  GHS. 

Proof:  By  Lemmas  1  and  25.  Q 
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4.3  Liveness 

We  show  a  path  in  the  lattice  along  which  liveness  properties  are  preserved. 
The  path  is  HI^  COM,  GC,  TAR,  GHS.  In  showing  the  edge  from  GHS  to  TAR, 
it  is  useful  to  know  some  liveness  relationships  between  GC  and  DC,  and  between 
COM  and  CON. 

The  reason  for  considering  liveness  relationships  in  other  parts  of  the  lattice  is 
to  take  advantage  of  the  more  abstract  forms  of  the  algorithm.  For  instance,  the 
essence  of  showing  that  the  GHS  algorithm  will  take  steps  leading  to  the  simulation 
of  ComputeMin(f)  in  TAR  is  the  same  as  showing  that  DC  takes  steps  leading  to 
the  simulation  of  ComputeMin{f)  in  GC.  (These  steps  are  the  convergecast  of 
REPORT  messages  back  to  the  core.)  DC  is  not  cluttered  with  variables  and  actions 
that  are  not  relevant  to  this  argument,  unlike  GHS.  Thus,  we  make  the  argument 
for  DC  to  GC,  and  then  apply  Lemma  7  for  the  GHS  to  TAR  situation. 

For  the  same  reason,  we  show  that  the  progression  of  changeroot  messages  in 
CON  leads  to  the  simulation  of  ChangeRoot{f)  in  COM,  and  that  the  movement 
of  CONNECT  messages  over  links  in  CON  leads  to  Absorb  and  Merge  in  COM,  and 
then  apply  Lemma  7. 

4.3.1  COM  is  Equitable  for  HI 

The  main  idea  here  is  to  show  that  as  long  as  there  exist  two  distinct  subgraphs, 
progress  is  made;  the  heart  of  the  argument  is  showing  that  some  fragment  at  the 
lowest  level  can  always  take  a  step.  This  requires  a  global  argument  that  considers 
all  the  fragments. 

Lemma  27:  COM  is  equitable  for  HI  via  M\. 

Proof:  By  Corollary  14,  [Pm  o  S\)  t\  Pcom  is  true  in  every  reachable  state  of 
PcoM-  Thus,  in  the  sequel  we  will  use  the  HI  and  COM  predicates. 

For  each  locally-controlled  action  of  HI,  we  must  show  that  COM  is  equi¬ 
table  for  p  via  M  i . 

i)  p  is  Start(p)  or  NotlnTree(I).  Since  p  is  enabled  in  Si{s)  if  and  only 
if  it  is  also  enabled  in  .s,  and  since  .4i(.s,;,?)  includes  p,  for  any  state  s,  Lemma  5 
shows  that  COM  is  equitable  for  p  via  A4] . 

ii)  p  is  Combine(F,F’,e).  We  show  COM  is  progressive  for  p  via  Ai): 
Lemma  6  implies  COM  is  equitable  for  p  via  M\. 


Section  4.3.1:  COM  is  Equitable  for  HI 

Let  be  the  set  of  all  pairs  of  reachable  states  s  of  COM  and  inter¬ 

nal  actions  ?/;  of  COM  enabled  in  s.  For  reachable  state  s,  let  v^{s)  =  {x,y,z), 
where  x  is  the  number  of  fragments  in  s,  y  is  the  number  of  fragments  /  with 
rootchanged{f)  =  false  in  s,  and  z  is  the  number  of  fragments  /  with  minlink{f) 
=  nil  in  s.  (Two  triples  are  compared  lexicographically.) 

(1)  Let  s  be  a  reachable  state  of  COM  in  E^p.  We  now  demonstrate  that  some 
action  xp  is  enabled  in  s  with  (s^x/x)  6 

Claims: 

1.  axvake  =  true  in  <Si(s),  by  precondition. 

2.  F  ^  F'  in  <Si(s),  by  precondition. 

3.  axvake  =  true  in  s,  by  Claim  1  and  definition  of  Si . 

4.  There  exist  /  and  g  in  fragments  such  that  subtree{f)  =  F  and  subiree{g)  =  F' 
in  s,  by  Claim  2  and  definition  of  Si- 

5.  f  ^  g  in  s,  by  Claims  2  and  4. 

Let  I  =  min{/e«e/(/')  :  f  E  fragments]  in  s.  (By  Claim  4,  fragments  is  not 
empty  in  s,  so  I  is  defined.)  Let  L  =  {f  E  fragments  :  level{f')  =  /}. 

Case  1:  There  exists  f  E  L  with  minlink{f')  =  nil.  Let  xp  =  ComputeMin{f'). 
We  now  show  xp  is  enabled  in  s.  By  Claim  5,  the  minimum- weight  external  link  (p,  q) 
of  /'  exists.  By  choice  of  I,  level(f')  <  level] fragment{q)) .  Obviously  (s,t/>)  E  'i'ip. 

Case  2:  For  all  f  E  L,  minlink{f')  ^  nil. 

Case  2.1:  There  exists  /'  E  L  with  rootchanged{f')  =  false.  Let  xp  = 
ChangeRoot]f').  xp  is  enabled  in  s  by  Claim  3  and  the  assumption  for  Case  2. 
Obviously  (s.xp)  E  'ip. 

Case  2.2:  For  all  /'  E  L,  rootchanged.{f')  =  true. 

Case  2.2.1:  There  exists  fragment  g'  E  L  with  level(f')  >  I,  where  /'  = 
fragment(target(minlink{g'))).  (By  COM-G,  /'  is  uniquely  defined.)  Let  r/’  = 
Absorb] f  ,g').  Obviously  xp  is  enabled  in  s,  and  ]s,xp)  E  ip. 

Case  2.2.2:  There  is  no  fragment  g'  E  L  such  that  level{f')  >  I,  where  /'  = 
fragment]target(m,inlink{g'))).  Pick  any  fragment  /i  such  that  level] fi)  =  /.  For 
i  >  1.  define  /,  to  be  fragm.ent]target]minlink]f,_\))). 

More  r.laim.s  al)0:i,i  .‘f'.- 
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6.  fi  i.s  uniquely  defined,  for  all  ?'  >  1.  Proof:  If  i  —  1,  by  definition.  Sujqxjse  it  i.s 
true  for  i  —  1  >  1.  Then  it  is  true  for  i  by  COM-G,  since  minlink{fi)  is  well-defined 
and  non-nil. 

7.  minlinkffi)  is  the  minimum-weight  external  link  of  fi,  for  all  i  >  1,  by  COM-A. 

8.  fi  ^  for  all  i  >  1,  by  Claims  6  and  7  and  definition  of  /;. 

9.  If  rninedge(fi)  ^  minedge(fi-i)  for  some  ?  >  1,  then  fi^i  is  not  among  fi,.  ■  ■ ,  fi, 
by  Claims  7  and  8,  and  since  the  edge-weights  are  totally  ordered. 

10.  There  are  only  a  finite  number  of  fragments,  by  COM-D  and  the  fact  that  V(G) 
is  finite. 

By  Claims  9  and  10,  there  is  an  i  >  1  such  that  minedgeffi)  =  minedge(fi^i). 
Let  V’  =  Merge{fi,  fi^i).  Obviously  'if  is  enabled  in  s,  and  {s,if)  G 


(2)  Consider  a  step  {s' ,  tt,  s)  of  COM,  where  s'  is  reachable  and  in  E^,  {s' ,tt)  ^ 
X^,  and  s  G  E^. 

(a)  u<^(s)  <  v^{s'),  because  there  is  no  action  of  COM  that  increases  the 
number  of  fragments;  only  a  Merge  action  increases  the  number  of  fragments  with 
minlink  equal  to  nil  or  rootchanged  equal  to  false,  and  it  simultaneously  causes  the 
number  of  fragments  to  decrease. 

(b)  Suppose  (s',7r)  G  Then  u<p(s)  <  v,^{s'),  since  Absorb  and  Merge  de¬ 
crease  the  number  of  fragments,  ComputeMin,  maintains  the  numlrer  of  fragments 
and  the  number  of  fragments  with  rootchanged  —  false  and  decreases  the  number 
with  minlink  =  nil,  and  ChangeRoot  maintains  the  number  of  fragments  and  de¬ 
creases  the  number  with  rootchanged  =  false. 

(c)  Suppose  (s',7r)  0  if  is  enabled  in  s',  and  (s',  V’)  G  Then  V’ 

still  enabled  in  .s,  since  the  only  possible  values  of  tt  are  Startup),  InTreefl)  and 
NotInTree{l),  none  of  which  disables  By  definition,  (.s,t/>)  G 

iii)  ip  is  InTree((p,q)).  We  show  COM  is  progres.sive  for  ip  via  Adi;  Lemma 
6  implies  that  COM  is  equitable  for  ip  via  Ai  i . 

Let  b<'  the  set  of  all  pairs  (.s,  V’)  of  rearhabh'  states  .s  of  COM  and  actions 
i/>  of  COM  enabled  in  .s  such  that  if  is  either  an  internal  action  or  is  ip. 


For  reachable  state  ,s,  let  v^{s)  rro,nb,n>(F.r',r){-'^)- 
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(1)  Let  s  be  a  reachable  state  of  COM  in  E,^.  We  now  demonstrate  that  some 
action  V’  is  enabled  in  s  with  (s,V’)  G  '^tp- 

If  (P>9)  £  -f’  for  some  F  in  <Si(s),  then  {p,q)  €  subtree{fragment{p))  in  s.  Let 
i/)  =  InTree({p,q)). 

Suppose  {p,q)  is  the  minimum- weight  external  link  of  some  F  in  Si{s). 
Then  there  is  more  than  one  fragment.  Essentially  the  same  argument  as  in 
p  =  Combine{F,  F' ,  e)  shows  that  some  Absorb(f\g'),  or  Merge{fi,  or 

ChangeRoot{f'),  or  ComputeMtn(f')  is  enabled  in  s. 

(2)  As  in  (^  =  Combine{F,  F' ,  e),  after  noting  that  tt  ^  InTree{{p,q)).  □ 

4.3.2  GC  is  Equitable  for  COM 

The  main  part  of  the  proof  is  showing  that  eventually  every  node  is  removed 
from  tesi3et{f),  so  that  eventually  ComputeMin{f)  can  occur.  As  in  Section  4.3.1, 
a  global  argument  is  required,  because  a  node  might  have  to  wait  for  many  other 
fragments  to  merge  or  absorb  until  the  level  of  the  fragment  at  the  other  end  of  p’s 
local  minimum- weight  external  link  is  high  enough. 

Lemma  28:  GC  is  equitable  for  COM  via 

Proof:  By  Corollary  16,  {P'coM  o<52)  A  Pac  is  true  in  every  reachable  state  of  GC. 
Thus,  in  the  sequel  we  will  use  the  HI,  COM,  and  GC  predicates. 

For  each  locally-controlled  action  p  of  COM,  we  must  show  that  GC  is  equi¬ 
table  for  p  \ia  M.2- 

i)  <p  is  not  ComputeMiii(f)  for  any  f.  Since  ip  is  enabled  in  s  if  and  only  if 
p  is  enabled  in  S2is),  and  since  A2(s,p)  includes  p.  for  all  s,  Lemma  5  shows  that 
GC  is  equitable  for  p  via  Ad 2. 

ii)  p  is  ComputeMin(f).  We  show  G'C  is  progressive  for  p  via  Ad2;  Lemma 
6  implies  that  GC  is  equitable  for  p  via  A42. 

Let  be  the  set  of  all  pairs  {s,  tt)  of  reachable  states  s  of  GC  and  internal 
actions  tt  of  GC  enabled  in  s.  For  reachable  state  s,  let  v^[s)  be  a  quadruple  with 
the  following  components: 

1.  the  number  of  fragments; 

2.  the  number  of  fragments  with  rootchangcd  —  false; 
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3.  the  number  of  fragments  with  minlink  —  nii,  and 

4.  the  sum  of  the  number  of  nodes  in  each  fragment’s  testset. 

(1)  Let  s  be  a  reachable  state  of  GC  in  E^.  So  ComputeMin(f)  is  enabled  in 
52(5).  We  now  show  that  some  t/)  is  enabled  in  s  with  6  ^1^. 

Let  Q  be  the  directed  graph  defined  as  follows.  There  is  one  vertex  of  Q  for 
each  element  of  fragments  in  s.  We  now  specify  the  directed  edges  of  Q.  Let  v  and 
w  be  two  vertices  of  Q,  corresponding  to  fragments  /'  and  g' .  There  is  a  directed 
edge  from  v  to  w  inQ  if  and  only  if  there  is  a  node  p  in  i€stset(f')  whose  minimum- 
weight  external  link  is  (p,  q),  fragment{q)  —  g' ,  and  leve^f)  >  Itvelfg').  We  will  call 
fragment  /'  a  sink  if  its  corresponding  vertex  in  ^  is  a  sink.  (It  should  be  obvious 
that  there  is  at  least  one  sink.) 

Case  1:  There  is  a  sink  /'  such  that  tesiset(f')  ^  0.  Let  0  =  TestN ode{p)  for 
some  p  €  iestset{f').  Since  /'  is  a  sink,  is  enabled  in  s.  Obviously  (s,  ip)  G 

Case  2:  For  all  sinks  /',  testseiff)  =  0. 

Case  2.1:  There  is  a  sink  /'  such  that  minlink{f')  =  nil.  Let  xp  = 
ComputeMin{f').  Since  ComputeMin{f)  is  enabled  in  52(s),  there  are  at  least 
two  fragments,  so  there  is  an  external  link  of  /'.  By  GC-B,  accmin(f)  7^  nil.  Thus 
Ip  is  enabled  in  s.  Obviously  {s,ip)  G 

Case  2.2:  For  all  sinks  /',  minlink{f')  7^  nil. 

Case  2.2.1:  There  is  a  sink  /'  such  that  rooichanged{f')  —  false.  Let  ir  = 
ChangeRooiff).  Since  ComputeMin(f)  is  enabled  in  S2{s).,  minlink{f)  ~  nil.  By 
COM-C  then,  awake  —  true.  Thus  ?/>  is  enabled  in  s.  Obviously  (5,  ip)  G  4*^. 

Case  2.2.2:  For  all  sinks  /',  rootchanged{  f )  =  true.  By  COM-A,  the  following 
two  cases  are  exhaustive. 

Case  2.2.2. 1:  There  is  a  sink  /'  such  that  level{g')  >  level(f'),  where  g'  = 
fragment  {target{minlink{f'))).  Let  ib  =  Absorbing’,  f).  Since  /'  is  a  sink,  v  is 
enabled  in  s.  Obvioinsly  (s,^  )  G 

Case  2.2. 2. 2:  For  all  sinks  /',  level(g')  =  level[f'),  where  g'  ~  fragment{target 
(mtnUnkif))).  Let  m  =  mm{level{f')  :  /'  is  a  sink}.  Let  /'  be  a  sink  with 
levclif)  —  and  let  g'  =  fragment{target(  minlink{f ))).  If  g'  is  not  a  sink,  then 
from  the  vertex  in  Cy  corresponding  to  g'  a  sink  is  reachable  (along  the  directed  edges) 
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whose  corresponding  fragment  is  a  sink  with  level  less  than  m,  contradicting  our 
choice  of  m.  Thus  g'  is  a  sink.  Since  the  edge  weights  are  totally  ordered,  by  COM- 
A  there  are  two  sinks  /'  and  g'  at  level  m  such  that  rn,inedge(f')  =  minedge{g'). 
Let  ^  =  Merge{f' ,g').  Obviously  xl>  is  enabled  in  .s,  and  {s,ip)  E 


(2)  Consider  step  (s',  tt,  s)  of  GC,  where  s'  is  reachable  and  in  E^f,,  (s',  tt)  ^  Xip, 
and  s  6  E^. 

(a)  Obviously  the  external  actions  of  GC  do  not  change  v^.  This  fact,  together 
with  (b)  below,  shows  that  v^p(s)  <  v^{s'). 

(b)  Suppose  (s',  tt)  G  If  tt  =  TesiN ode(p),  then  component  4  of  decreases 
and  the  rest  stay  the  same.  If  tt  =  ComputeMin(f'),  then  component  3  of 
decreases  and  the  rest  stay  the  same.  If  tt  =  ChangeRoot{f'),  then  component  2  of 

decreases  and  the  rest  stay  the  same.  If  tt  Merge(f',g')  or  Absorb(f',g'),  then 
component  1  of  decreases. 

(c)  Suppose  (s',tt)  ^  Ip  is  enabled  in  s',  and  (s' ,ip)  E  Since  the  only 
choice  for  tt  is  an  external  action  of  GC,  obviously  rp  is  enabled  in  s  and  (s,  0)  E 

□ 

4.3.3  TAR  is  Equitable  for  GC 

The  substantial  argument  here  is  that  a  node  p’s  local  test-accept-reject  proto¬ 
col  eventually  finishes,  thus  simulating  TestNode(p)  in  GC.  Again,  we  need  a  global 
argument:  to  show  that  the  recipient  of  p’  test  message  eventually  responds  to  it, 
we  must  show  that  the  level  of  the  recipient’s  fragment  eventually  is  large  enough. 
This  proof  is  where  the  state  component  of  the  set  'P  in  the  definition  of  progressive 
is  used.  The  receipt  of  a  TEST  message  will  generally  make  progress,  but  if  it  is 
requeued  and  the  state  is  unchanged,  no  function  on  states  can  decrease;  thus,  wc 
exclude  such  a  state-action  pair  from 

Lemma  29:  TAR  is  equitable  for  GC  via  Ms- 

Proof:  By  Corollary  18,  (Pgc‘^^3) ^  ^tar  is  true  in  every  reachable  state  of  TAR. 
Thus,  in  the  sequel  we  will  use  the  HI,  COM,  GC,  and  TAR  predicates. 

For  each  locally-controlled  action  g>  of  •'^C,  we  must  show  that  TAR  is  equitable 
for  ip  via  Mj. 


1. 
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i)  if  is  not  TestNode(p)  for  any  p,  or  InTree(l)  or  NotlnTree(l)  for 
any  1.  Since  is  enabled  in  s  if  and  only  if  v?  is  enabled  in  <S3(s),  and  since  .43 (s, 
includes  for  all  s,  Lemma  5  implies  that  TAR  is  equitable  for  (p  via  Afs. 

ii)  p  is  TestNode(p).  We  show  TAR  is  progressive  for  p  via  Ms  ',  Lemma  6 
implies  that  TAR  is  equitable  for  p  via  Ms.  In  the  worst  case,  we  have  to  wait  for 
the  levels  to  have  the  correct  relationship.  This  requires  a  “global”  argument. 

Let  '5,^  be  the  set  of  all  pairs  (s,7r)  of  reachable  states  s  of  TAR  and  internal 
actions  tt  of  TAR  enabled  in  s,  such  that  if  tt  =  ReceiveTesi({q,r),l,c),  then  in  s 
either  level{fragmeni(r))  >  I,  or  there  is  more  than  one  message  in  tarqueueri{q,  ^})- 

For  reachable  state  s,  let  Vip(s)  be  a  10-tuple  of: 

1.  the  number  of  fragments  in  s, 

2.  the  number  of  fragments  /  with  rootchanged{f)  =  false  in  s, 

3.  the  nmnber  of  fragments  /  with  minlink^f)  —  nil  in  s, 

4.  the  number  of  nodes  q  such  that  q  G  testset{fragment{q))  in  s, 

5.  the  number  of  links  I  such  that  either  Istatus(l)  =  unknown,  or  else  lstatus{l)  = 
branch  and  there  is  a  protocol  message  for  /,  in  s, 

6.  the  number  of  links  /  such  that  no  accept  or  reject  message  is  in  tarqueue{l) 
in  s, 

7.  the  number  of  links  I  such  that  no  TEST  message  is  in  tarqueue{l)  in  s, 

8.  the  number  of  messages  in  taTqueueq({q,r)),  for  all  {q,r)  G  L{G),  in  s, 

9.  the  number  of  messages  in  tarqueueqr{{q,r)),  for  all  {q,r)  G  L{G),  in  s, 

10.  the  number  of  messages  in  tarqueuer({q,r)),  for  all  {q,r)  G  L{G),  that  are 
behind  a  TEST  message  in  s. 

(1)  Let  s  be  a  reachable  state  of  TAR  in  Eq,.  We  show  that  there  exists  an 
action  i/’  enabled  in  s  such  that  (s,t/’)  G 

Let  I  =  min{level(f)  :  f  G  fragments} . 

Case  1:  All  fragments  /  at  level  I  have  rootchanged(f)  =  time.  Then  some 
Absorb{f,g)  or  MeTge{f,  g)  is  enabled  in  .s,  as  argued  in  Lemma  27,  Case  2.2.1  for 
p  =z  Combine.  Let  i/)  be  one  of  these  enabled  actions. 

Case  2:  level{f)  =  I  and  rootchanged(f)  ^  true,  for  some  /  G  fragments. 

Claims  about  s: 

1.  p  G  tests et{fragment{q)),  by  precondition  of  p. 
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2.  awake  =  true,  by  Claim  1  and  GC-C  and  COM-C. 

Case  2.1:  minlink{f)  ^  nil.  Let  =  ChangeRoot(f).  By  Claim  2  and  assump¬ 
tion  for  Case  2.1,  ip  is  enabled  in  s. 

Case  2.2:  minlink{f)  =  nil. 

Case  2.2.1:  testsei{f)  =  0. 

3.  Either  there  is  no  external  link  of  /,  or  accmin(f)  ^  nil,  by  GC-B  and  assiimption 
for  Case  2.2.1. 

4.  jTagment{p)  ^  /,  by  Claim  1  and  assumption  for  Case  2.2.1. 

5.  accmin{f)  ^  nil,  by  Claims  3  and  4. 

Let  Ip  —  ComputeMin(f).  It  is  enabled  in  s  by  Claim  5  and  assumption  for 
Case  2.2.1. 

Case  2.2.2:  testset{f)  ^  0.  Let  q  be  some  element  of  testset{f). 

Case  2.2.2. 1:  iestlink{q)  =  nil.  Let  ip  =  SendTesi{q).  It  is  enabled  in  s  by 
assumptions  for  Case  2.2.2. 1. 

Case  2.2.2. 2:  testlink{q)  ^  nil.  By  TAR-C(a).  testlink{q)  =  (g,  r),  for  some  r. 
There  is  a  protocol  message  for  {q,  r),  by  TAR-C(c).  So  there  is  some  message  at  the 
head  of  at  least  one  of  the  six  queues  comprising  iarqueue{{q,  r))  and  tarqueue{{r,  q)). 
At  least  one  of  the  following  is  enabled  in  s:  ReceiveTest{k,  l',c').  Receive Accept{k) , 
ReceiveRejeci{k),  Channels end{k,m),  and  ChannelRecv{k,m),  where  k  is  either 
{q,'^)  or  {r,q),  and  m  €  M. 

Suppose  in  contradiction  that  there  is  no  ip  enabled  in  s  such  that  {s,ip)  G 
'I'^.  That  is,  by  definition  of  the  only  message  in  tarqueue{{q,r))  (if  any)  is  a 
test(/',  c')  in  tarqueuer{{q,  r))  with  I'  >  level(fragment{r));  and  the  only  message  in 
tarqueue{{r,q))  (if  any)  is  aTEST(/",c")  in  tarqueueq{{r,q))  with  I"  >  fragment{q)) . 

Suppose  the  protocol  message  for  {q,r)  is  a  TEST(/',c')  in  tarqueue{{q,r)), 
with  lstatus{{q,r))  rejected.  By  TAR-E(b),  V  =  level{fragment{q)).  Since 
fragment{q)  =  /,/'  =  /  by  choice  of  /.  But  V  >  level{fragment{r)) ,  by  defini¬ 
tion  of  which  contradicts  the  definition  of  1. 

Suppose  the  protocol  message  for  {q,r)  is  a  TESt(/",  c")  in  tarqueue{{r,  q)),  with 
lstatus{{r,q))  =  rejected.  By  TAR-E(c),  I"  =  level{fragment{q)) .  But  by  definition 
of  I"  >  level{fragment(q)). 
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(2)  Let  (s',  TT,  s)  be  a  step  of  TAR,  where  s'  is  reachable  and  is  in  E^,  {s' ,7r)  ^ 
A'^,  and  s  E  E^. 

(a)  If  (s',7r)  ^  then  tt  is  either  InTree{l),  NotInTree{l) ,  or  Start{p),  or 
else  TT  is  Receive Tesi{{q,r),  I, c)  and  in  s,  /  >  level{fragment{r))  and  there  is  only 
one  message  in  tarqueuej.{{q,r)).  In  all  cases,  no  component  of  is  changed,  so 

U<^(s)  =  V^p(^S  ). 

Part  (b)  below  finishes  the  proof  that  v^{s)  <  v^{s'). 

(b)  Suppose  (s',7r)  €  We  show  v^{s)  <  v^(s'). 

•  Suppose  TT  =  Channels end{l,  m).  Component  8  of  decreases  and  components 
1  through  7  do  not  change. 

•  Suppose  TT  =  ChannelRecv(l,m).  Component  9  of  decreases  and  components 
1  through  8  do  not  change. 

•  Suppose  TT  =  SendTest{q).  Let  (?,  r)  be  the  minimum-weight  link  of  q  with 
hiatus  unknown  in  s'.  By  precondition,  testlink{q)  =  nil  in  s'.  By  TAR-D, 
there  is  no  protocol  message  for  (9,r)  in  s',  so  there  is  no  test  message  in 
tarqueue{{q,r))  in  s'.  One  is  added  in  s.  Thus  component  7  of  decreases 
and  components  1  through  6  do  not  change.  If  there  is  no  link  of  q  with  hiatus 
unknown,  then  q  is  removed  from  testsei(fragment(q)).  Thus  component  4  of 

decreases  and  components  1  through  3  do  not  change. 

•  Suppose  TT  =  ReceiveTesi{{q,r) ,  l,c)  and  in  s'  either  I  <  level{fragment{r))  or 
there  is  more  than  one  message  in  tarqueuer{{q,r)). 

Case  1:  I  <  level{fTagment{r))  and  either  c  ^  core{fragment{r))  or  testlink{r)  ^ 
(r,q)  in  s'. 

Claims  about  s' : 


I 

I 


^5 


I 


1.  TEST(/,c)  message  is  in  tarqueue({q,r)),  by  precondition. 

2.  c  ^  core{fragment(r))  or  testlink{r)  ^  {i',q),  by  assumption. 

3.  If  c  core{fragment{r)),  then  htatus{{q,r)}  7^  rejected,  by  TAR-E(c). 

4.  If  testlink(r)  ^  {f',q)-,  then  there  is  no  protocol  message  for  {r,q),  by  TAR-D. 

5.  If  testlink{r)  ^  (^,9)-  then  btatus{{q,r))  ^  rejected,  by  Claim  4  and  definition. 
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6.  The  test(Z, c)  message  in  tarqueue{{q,r))  is  a  protocol  message  for  {q-,r),  by 
Claims  2,  3  and  5. 

7.  testlink(q)  =  {q,r),  by  Claim  6  and  TAR-D. 

8.  There  is  no  accept  or  reject  message  in  tarqueue{{r,q)),  by  Claims  6  and  7 
and  TAR-C(c). 

If  lstatus{{q,r))  is  changed  from  unknown  to  rejected,  then  component  5  of 
decreases  and  components  1  through  4  are  unchanged.  Otherwise,  an  accept 
or  REJECT  message  is  added  to  tarqueue{{r,q))  in  s,  causing  component  6  of  to 
decrease  by  Claim  8,  while  components  1  through  5  stay  the  same. 


Case  2:  I  <  level(fragment(r))  and  c  =  core(fragment(r))  and  testHnk(r)  = 
{r,q)  in  s'. 

Claims  about  s' : 

1.  TESt(/,c)  is  in  tarqueue({q,r)),  by  precondition. 

2.  c  =  core{fragment{r)),  by  assumption. 

3.  testlinkfr)  =  {r,q),  by  assumption. 

Case  2.1:  There  is  no  link  {r,<),  t  ^  q,  with  Istatus  unknown  in  s'.  Then  q 
is  removed  from  tests et{fragment{q))  in  s,  causing  component  4  of  to  decrease 
while  components  1  through  3  do  not  change. 

Case  2.2:  There  is  a  link  {r,t),  t  ^  q,  with  lstatus{{r,t))  =  unknown  in  s'. 

4.  lstatus{{r,  q))  ^  rejected,  by  Claim  3  and  TAR-K. 

By  Claim  4,  Cases  2.2.1  and  2.2.2  are  exhaustive. 

Case  2.2.1:  lstatus(  {r ,  q))  —  unknown  in  s'.  It  is  changed  to  rejected  in  s, 
causing  component  5  of  v^p  to  decrease  and  components  1  through  4  to  stay  the 


Case  2.2.2:  lsiatus{{r,q))  =  branch. 

Case  2.2.2. 1:  The  test(/,c)  message  in  tarqueue{{q,r))  is  a  protocol  message 
for  {r,q). 

5.  The  TEST(Z,  c)  message  in  tarqueue{{q,r))  is  the  only  protocol  message  for  (r.q), 
by  TAR-C(c). 


ft; 
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Since  the  only  protocol  message  for  (r,  </)  is  removed  in  .s,  component  5  of 
decreases  and  components  1  through  4  stay  the  same. 

Case  2.2.2. 2:  The  test(/,c)  message  in  tarqueue{{q,r))  is  not  a  protocol  mes¬ 
sage  for  (r,  q) . 

6.  lstatus{{q,r))  ^  rejected,  by  assumptions  for  Case  2. 2. 2.2. 

7.  There  is  a  test(/',c')  message  in  tarqueue{{r,q))  and  lstatus{{r,q))  =  unknown, 
by  Claims  1,  2,  3,  6  and  TAR-P. 

But  Claim  7  contradicts  the  assumption  for  Case  2.2.2. 


Case  S:  I  >  level(fragment{r))  and  there  is  more  than  one  message  in 
tarqueueri{q,r))  in  s'.  All  TEST  messages  in  tarqueueri{q,r))  are  protocol  mes¬ 
sages  for  the  same  link,  either  {q,r)  or  {r,q).  Since  by  TAR-D  and  TAR-C(c)  there 
is  never  more  than  one  protocol  message  for  any  link,  this  test(/,c)  message  is 
the  only  one.  The  test(/,c)  message  is  put  at  the  end  of  tarqueuer{{q,r))  in  .s, 
decreasing  component  10  and  not  changing  components  1  through  9. 

•  Suppose  TT  =  ReceiveAccept({q,r)).  Since  r  is  removed  from  f,estsei{frag- 
ment(r)),  component  4  of  decreases  while  components  1  through  3  stay 
the  same. 

•  Suppose  TT  =  ReceiveReject({q,r)).  If  there  are  no  more  unknown  links,  then 
r  is  removed  from  testset(fragment{r)),  decreasing  component  4  of  and  not 
changing  components  1  through  3.  Suppose  there  is  another  unknown  link. 

Claims  about  s' : 

1.  REJECT  is  in  tarqueue({q^r)),  by  precondition. 

2.  There  is  a  link  (r,t),  t  ^  q,  with  lstatus{{r,t))  =  unknown,  by  assumption. 

3.  testlink(r)  =  (r,^),  by  Claim  1  and  TAR-D. 

4.  The  REJECT  in  tarqueue({q,r))  is  the  only  protocol  me.ssage  for  {q,r),  by  Claim 
3  and  TAR-C(c). 

5.  l3tatus{{r,q))  ^  rejected,  by  Claim  3  and  TAR-K. 

By  Claim  5,  lstatus{{r,q)  )  ^  rejected.  If  htatus{{7',q))  =  unknown  in  .s',  it  is 
changed  to  rejected  in  s.  If  lstatus{{r,q))  ~  branch  in  .s',  then  it  stays  branch  in  s. 
but  there  are  no  more  protocol  messages  for  (r,  q)  in  ,s,  by  Claim  4.  Thus  component 
5  of  decreases  while  components  1  through  4  stay  the  same. 
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•  Suppose  TT  =  ComputeMin^f).  Component  3  of  decreases  and  components 
1  and  2  are  unchanged. 

•  Suppose  TT  =  Chang eRoot{f).  Component  2  of  decreases  and  component  1 
is  unchanged. 

•  Suppose  TT  =  Merge{f,g)  or  Absorb{f,g).  Component  1  of  decreases. 


(c)  Suppose  (s',7r)  ^  <5^,  0  is  enabled  in  s',  and  £  4',^.  Then 

0  is  still  enabled  in  s  and  (s,0)  €  'I',,?,  since  the  only  possibilities  are;  tt  = 
InTreeil),  NoilnTree(l)^  or  Startup),  or  else  tt  =  ReceiveTest{{q,r) ,1,  c)  and  in  s', 
I  >  level(fragment{7'))  and  there  is  only  one  message  in  iarqueuer{{q,r)). 

iii)  (p  is  InTree((p,q)).  We  show  TAR  is  progressive  for  p  via  Afa;  Lemma 
6  implies  that  TAR  is  equitable  for  ip  via  Ms-  We  simply  show  that  if  {p,q)  = 
minlink{f),  but  lsiatus{{p,q))  is  not  yet  branch,  then  eventually  ChangeRoot{f) 
will  occur. 

Let  'fy,  be  all  pairs  (s,i/))  of  reachable  states  s  and  actions  xp  enabled  in  s  such 
that  one  of  the  following  is  true:  (Let  /  =  fragment(p)  in  s.) 

•  =  InTree({p^q)),  or 

•  (PiQ)  ~  rninlink{f)  in  s,  and  0  =  ChangeRoot{f). 

For  reachable  state  s,  let  v^{s)  be  1  if  {p,q)  =  minlink{f)  and  ChangeRoct{f) 
is  enabled  in  s,  and  0  otherwise. 

(1)  Let  s  be  a  reachable  state  of  TAR  in  E^p.  We  show  that  there  exists  an 
action  tp  enabled  in  s  such  that  (s,0)  £  Let  /  =  fragment{p)  in  .s. 

Claims  about  s: 

1.  awake  =  true,  by  precondition  of  p>. 

2-  €  subtree{f)  or  {p,q)  —  minlink{f).  by  precondition  of  ip. 

3.  answered({p^q))  =  false,  by  precondition  of  p). 

4.  lsiahLs{{p,q))  ^  rejectc’d,  by  Claim  2  and  TAR-B. 


By  Claim  4,  the  following  two  cases  are  exhaustive. 
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Case  1:  l3tatus{{p,q))  =  branch.  Let  0  =  InTree.{{p,(j)).  It  is  enabled  in  s  by 
Claims  1  and  3  and  assumption  for  this  casi*,  and  {s,xj')  G  'I'^. 

Case  2:  lstatus{{p,q))  =  unknown. 

5.  minlink{f)  =  {p^q),  by  Claim  2  and  TAR-A(a). 

6.  rootchanged(f)  =  false,  by  Claim  5  and  TAR-H. 

Let  t/>  =  ChangeRoot{f).  It  is  enabled  in  s  by  Cl^lims  1,  5  and  6,  and  € 


(2)  Let  (s',7r,s)  be  a  step  of  TAR,  where  s'  is  reachable  and  is  in  {s',tt)  0 
X^,  and  s  £  E^. 

(a)  Suppose  (s',7r)  ^  We  show  that  no  possibility  for  tt  can  affect  whether 
or  not  ChangeRoot(f)  is  enabled,  i.e.,  =  v^{s').  This  together  with  (b)  below 

shows  that  <  v^(s'). 

Case  1:  ChangeRoot{ f)  is  enabled  in  s'.  No  action  sets  awake  to  false.  No 
action  (other  than  Change Root{f))  sets  rootchanged(f)  to  false.  No  action  sets 
minhnk(f)  to  nil.  f  remains  in  fragments  because  tt  is  not  Absorb{g,  /),  Merge{f,  g) 
or  Merge{g,  f),  for  any  g,  since  rootchanged{f)  =  false. 

Case  2:  rootchangcd{f)  is  not  enabled  in  s' .  By  precondition  of  p,  awake  is  true 
in  s'.  If  rootchanged{f)  =  true  in  s' ,  then  the  same  is  true  in  s,  because  the  only 
action  that  sets  it  to  false  is  the  Merge  that  created  /.  If  minlink{f)  =  nil  in  s' ,  then 
{p,q)  7^  minlink(f),  so  even  if  minlink(f)  becomes  nonnil  (by  ComputeMin{f)), 
remains  0. 


(b)  Suppose  (s'.tt)  G  Since  (.s'.tt)  ^  tt  7^  InTree{{p.  q)).  Thus 

minlink(f)  —  {p-.q)  in  and  tt  =  ChangeRoot(f).  Obviously  goes  from  1  to 

0. 


(c)  Suppose  (.s'.tt)  ^  'I',^,  ?/>  is  enabled  in  .s',  and  (.s',?/’)  G  'I'^.  The  same 
argument  as  in  (2a),  Case  1,  aiTplies. 
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iv)  ip  is  NotInTree((p,q)).  We  show  that  TAR  is  progressive  for  p  via 
Mz]  Lemma  6  implies  that  TAR  is  equitable  for  p  via  Ads.  The  goal  is  to  show 
that  if  5  6  nodes{fragment{p))  and  {p,q)  ^  subtree(fragTnent{p)),  then  eventually 
lstaius{{p,  q))  =  rejected.  This  requires  a  global  argument,  as  for  TestNode{p), 
because  it  could  be  that  some  unknown  link  will  never  be  tested  until  only  one 
fragment  remains. 

Let  be  '^Te3tNode(p)  C  {(s,JVotInTree((p,q}))  :  s  reachable,  NotInTree({p,q)) 
enabled  in  s}. 

Let  v^{s)  =  V'reatNode(p)(^)  all  reachable  states  s. 

Let  be  the  same  as  for  TesiNode{p). 

(1)  Let  s  be  a  reachable  state  of  TAR  in  E^.  We  show  that  there  exists  an 

action  t/’  enabled  in  s  such  that  €  'I'lp. 

Istaiu3{{p,q))  ^  branch,  by  TAR-A(a).  If  lstaius{{p,  q))  ~  rejected,  then  let 
■0  =  NotInTree{{p,g)). 

Suppose  lstatus{{p,  q))  =  unknown  in  s.  The  rest  of  the  argument  is  just  like 
that  for  TesiNodtip),  except  for  the  following  cases. 

Case  2.1:  CkangeRoot(f)  is  enabled  in  s  because  awake  =  true  by  the  precon¬ 
dition  of  p. 

Case  2.2.1:  We  show  that  ComputeMin{f)  is  enabled  in  s  by  showing  that 
there  are  at  least  two  fragments,  as  follows.  If  there  is  only  one  fragment,  then  /  = 
fragmentip),  and  p  ^  testset(f)  (since  we  a.ssume  testset{f)  =  0).  But  since  we  also 
assume  lstatus{{p,q))  =  unknown,  TAR-I  gives  as  contradiction.  Thus,  there  is  an 
external  link  of  /,  and  by  GC-B,  accniin(f')  ^  nil. 

(2)  Like  TestNodei p).  after  noting  that  tt  cannot  be  NotInTree{{p.q)).  □ 

4.3.4  DC  is  Progressive  for  an  Action  of  GC 

The  main  idea  is  to  show  that  UKl’Olt  i  messages  converge  on  the  core.  This 
argument  is  local  to  one  fragment. 

Lemma  30:  DC  is  prrjgie.s.sjbc  for  CovipuieMin{  f )  via 
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Proof:  By  Corollary  20,  {P'gc  o  <54)  A  Pdc  is  true  in  every  reachable  state  of  DC. 
Thus,  in  the  sequel  we  will  use  the  HI,  COM,  GC  and  DC  predicates. 

Let  be  the  set  of  all  pairs  of  reachable  states  s  of  DC  and  actions  V’  of 

DC  such  that  in  s,  a  report(u))  is  in  some  dcqueue{{q,p))  and  either  g  is  a  child  of 
p,  or  else  dcstatus(p)  =  unfind  and  p  =  mw-root(f);  and  ip  E  {  Channels end{{q,p), 
REPORT(ie)),  ChannelRecv{{q, p) ,  REPORt(u))),  ReceiveRepor-t({q,p) ,w)} . 

For  reachable  state  s,  let  v^{s)  be  a  quadruple  with  the  following  components: 

1.  The  number  of  nodes  p  G  nodes(f)  with  dcstatus{p)  =  find. 

2.  The  number  of  peport  messages  in  dcqueueg({q,p}),  for  all  (p,q)  G  3ubtree{f) 
such  that  either  5  is  a  child  of  p  or  else  p  ~  mio-rooi{f)  and  dcstatus{p)  =  unfind. 

3.  The  number  of  report  messages  in  dcqueuegp{{q,p))  for  all  (p,  9)  G  3ubtree{f) 
such  that  either  g  is  a  child  of  p  or  else  p  ~  inw-rooii^f)  and  dcstatus{p)  ~  unfind. 

4.  The  number  of  report  messages  in  dcqueuep({q,p))  for  all  (p,  g)  G  subtree{f) 
such  that  either  g  is  a  child  of  p  or  else  p  =  mw-rooi{f)  and  dcstatus{p)  =  unfind. 

(1)  Let  5  be  a  reachable  state  of  DC  in  Eg,.  We  show  that  there  exists  an 
action  ip  enabled  in  s  such  that  {s,ip)  G 

Claims  about  s: 

1.  minlinkif)  =  nil,  by  precondition. 

2.  accmin{f)  ^  nil,  by  precondition. 

3.  testset{f)  =  0,  by  precondition. 

4.  There  is  an  external  link  of  /,  by  Claim  2  and  GC-A. 

5.  No  FIND  message  is  in  3ubtree{f),  by  Claim  3  and  DC-D(c). 

6.  If  dcstatusip)  =  find,  then  a  report  message  is  in  3ubtree{p)  headed  toward  p, 
for  any  p  G  nodes{f),  by  Claim  3  and  DC-I(b). 

Suppose  a  report(w)  is  in  some  dcqueue{{q,  p})  and  g  is  a  child  of  p.  By 
DC-B(a),  inbranch{p)  ^  (p, g)-  Obviously,  (p, g)  ^  core{f),  so  by  DC-A(g), 
dcstatusip)  =  find.  By  Claim  5  and  DC-0,  the  report(uO  is  the  only  message  in 
dcqueue{{q,p)).  If  it  is  in  dcqueueg{{q,p)),  let  t/’  =  ChannelSend{{q,p) ,  report(i(;)); 
if  it  is  in  dcqueuegp{{q, p)),  let  4’  =  ChannclRecv{{q, p) ,  REPORT(u>));  if  it  is  in 
dcqueuep{{q,  p)),  let  ip  =  ReceiveReport(w).  Obviously,  ip  is  enabled  in  s,  and 
{3.  Ip)  G 

Suppose  no  REPORT  is  in  any  dcquc.ue({q,  p))  with  g  a  child  of  p.  By  Claim  C. 
dcstatusip)  =  unfind  for  all  p  G  nodesi  f).  Tli''n  by  Claims  1,  4  and  5.  a  report(?c)  is 
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in  dcqueue{{q,p)),  where  {p,q)  =  core{f)  andp  =  mw-rooi{f).  By  Claim  5  and  DC- 
0,  the  report(u))  is  the  only  message  in  dcqueue({q, p)) .  If  it  is  in  dcqueueg({q,p)), 
let  Ip  =  Channels end({q,p),REPORT(w));  if  it  is  in  dcqueueqp({q,p)),  let  tp  = 
ChannelRecv({q,  p) ,  report(w));  if  it  is  in  dcqueuep{{q,p)),  let  tp  =  ReceiveReport{w). 
Obviously,  ^  is  enabled  in  s,  and  {s^ip)  G  '^g>. 

(2)  Let  (s',  TT,  s)  be  a  step  of  DC,  where  s'  is  reachable  and  is  in  (s',  n)  ^  X^, 
and  s  E  E^.  We  note  the  following  claims  about  s'. 

1.  testset{f)  =  0,  by  precondition. 

2.  Tninlink{f)  =  nil,  by  precondition. 

3.  No  FIND  is  in  subiree{f),  by  Claim  1  and  DC-D(c). 

(a)  To  show  u<^(s)  <  v^{s'),  we  show  that  =  u^(s')  if  {s',Tr)  ^  this 

together  with  part  (b)  below  gives  the  result.  Suppose  (s',  tt)  ^ 
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TestNode{p)  is  not  enabled,  for  p  G  nodes{f),  by  Claim  1.  ChangeRoot{f), 
Merge{f,g),  Merge{g,  f),  and  Absorb{g,  f)  are  not  enabled,  for  g  G  fragments, 
by  Claim  2.  ReceiveFind({p,q)),  AfterMerge{p,q),  Channels end{{p,q),FWD),  and 
ChannelRecv{ {p,  q)  ,FltiD)  are  not  enabled,  for  p  G  nodes(f),  by  Claim  3.  Thus  tt  is 
none  of  the  above  actions. 

If  TT  =  Channels end{{q, p) ,REPORt{w))  or  ChannelRecv{{q,p),REPOR7{w)),  for 
{q,p)  G  subtTee{f),  then  is  unchanged,  since  (.s',7r)  ^  'I'^. 


Kri 


Suppose  TT  =  ReceiveReport({q,p) ,w). 

Case  1:  p  is  a  child  of  q.  By  DC-A(a),  inbranch{p)  =  (p, ?)•  By  DC-B(b), 
dcstatus{p)  =  unfind.  So  the  only  change  is  the  removal  of  the  message.  Since 
p  is  a  child  of  q,  p  ^  m'w-root{f),  so  Vg,  is  unchanged. 

Case  2:  {p,q)  =  core{f)  and  p  ^  mw-root{f).  By  DC-A(a),  inbranch{p)  =  {p,q)- 
The  only  effect  is  that  either  the  message  is  requeued  (if  dcstatus{p)  =  find),  or  the 
message  is  removed  (if  dc.status{p)  =  unfind);  in  both  cases,  Vg,  is  unchanged. 

Case  3:  {p,q)  =  core(f),  p  =  mw-root(f),  and  dcstatus{p)  =  find.  The  only  effect 
is  that  the  message  is  requeued,  so  Vg,  is  unchanged. 


Suppose  TT  =  Merge(g,h).  By  precondition,  m.inlink{g)  —  minlink{h)  ^  nil  in 
s'.  So  /  ^  ^  and  /  ^  h.  Obviously  is  unchanged. 
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Suppose  TT  =  Absorb{g,h).  By  precondition,  wMinkih)  nil  in  s',  so  f  ^  h 
by  Claim  2.  If  /  ^  gi,  then  obviously  is  unchanged.  Suppose  f  =  g.  As  in 
the  proof  of  condition  (3a)  in  Lemma  19  for  viii)  tt  =  Absorb,  Case  2,  no  report 
message  is  headed  toward  minnode{h)  and  dcstaius{r)  =  unfind  for  all  r  G  nodes{h) 
in  s' .  Thus  does  not  change. 

The  remaining  actions  (not  mentioned  above)  obviously  do  not  affect  v^. 

(b)  Suppose  (s',7r)  G  We  show  u<^(s)  <  v^(s').  If  t/’  =  Channels end(l,  in), 
component  2  of  Vt^,  decreases  and  component  1  is  unchanged.  If  =  Channel- 
Recv(l,m),  component  3  of  decreases  and  components  1  and  2  are  unchanged. 

Suppose  ^  =  ReceiveReport((q,p),w). 

Case  1:  g  is  a  child  of  p.  By  DC-B(a),  inbranch{p)  ^  (p, g)-  By  DC-A(g), 
dcstatus{p)  =  find.  If  findcouni{p)  =  1  in  s',  then  component  1  of  v,p  decreases. 
Otherwise,  component  4  decreases  and  components  1  through  3  are  unchanged. 

Case  2:  q  is  not  a  child  oi  p,  p  =  mw-rooi{f),  and  dcstatus{p)  —  unfind.  So 
(p,  g)  =  core{f).  By  DC-P,  w  >  bestwt{p).  But  this  contradicts  (s',7r)  ^  X^. 

(c)  Suppose  (s',  tt)  ^  t/)  is  enabled  in  s',  and  (s',t/’)  G  We  show  that  0 

is  still  enabled  in  s  and  {s,ip)  G  Since  the  queues  are  FIFO,  there  is  no  way  to 
disable  V’- 

It  remains  to  show  that  is,ip)  is  still  in 

One  possible  way  (s,  4))  could  no  longer  be  in  'I',^  is  if  the  position  of  mw-Toot{f) 
changes,  i.e.,  if  tt  is  Merge(f,g),  Merge(g,  f),  Absorh{f,g),  or  Absorb{g,  f),  for  some 
fragment  g.  But  by  Claim  2,  minlink{f)  =  nil.  Thus  tt  cannot  be  Merge(f,g), 
Merge(g,  f),  or  Absorh{g,  f).  Suppose  tt  =  Absorh(f,  g).  Let  core(f)  =  (p,g),  p  = 
mw-root{f),  and  g  be  the  endpoint  of  core(f)  closest  to  target(minlink{g))  in  s'. 
The  minimum- weight  external  link  of  /  has  sjnaller  weight  than  minhnk(g),  which 
by  COM-A  is  the  minirntam-weight  external  link  of  g.  Thus  mw-rooi{  f)  does  not 
change  after  Absorb(f,g). 

Another  way  is  if  the  position  of  core(  f)  changes.  This  only  happens  if  tt  is 
Merge(f,g),  Merge{g,  f)  or  Ahsorbig,  f),  which  we  showed  is  impossible. 

The  third  way  is  if  dr.status{p)  changes  from  unfind  to  find,  where  p  ~  mvi- 
root(f).  This  only  happens  if  tt  =  Receive Find({fj,p))  for  some  g.  But  l)y  Claim  3. 
no  FIND  is  in  subtree{  f).  and  by  DC-D(-').  no  find  can  be  in  an  c'-tcrnal  link.  □ 
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4.3.5  CON  is  Progressive  for  Some  Actions  of  COM 

To  show  that  CON  is  progressive  for  Merge  and  Absorb^  we  just  show  that 
the  CONNECT  message  on  the  minlink  makes  it  across.  For  ChangeRoot,  we  show 
that  the  chain  of  changeroot  messages  eventually  reaches  the  minnode.  These 
arguments  are  all  local  to  one  fragment. 

Lemma  31;  CON  is  progressive  for  Merge{f^g),  Absorb{f,g)  and  ChangeRoot{f) 
via  Ale- 

Proof:  By  Corollary  24.  {P'coM  o  <^6)  A  PcoN  i>^  true  in  every  reachable  state  of 
CON .  Thus,  in  the  sequel  we  will  use  the  HI,  COM,  and  CON  predicates. 

i)  (p  is  Merge(f,g).  Let  (p,  q)  =  minedge(f).  Let  be  the  set  of  all 
pairs  (s^ip)  of  reachable  states  s  of  CON  and  actions  ?/»  of  CON  enabled  in  s, 
such  that  ^  6  {ChannelSend({q,p)^COmECT(l)),  ChannelRecv{{q^p),CONNECT(l)), 
Merge  (f,g)}. 

For  reachable  state  s  of  CON,  let  u,p(s)  =  {x,y),  where  x  is  the  number  of 
messages  in  cqueue^({q,p))  in  s,  and  y  is  the  number  of  messages  in  cqueuegp{{q,p)) 
in  s. 

(1)  Suppose  s  is  a  reachable  state  of  CON  in  E^.  We  show  that  there  is  a  tp 
enabled  in  s  such  that  {s,xp)  G 

Claims  about  s: 

1-  /  ^  Pj  by  precondition. 

2.  minedge{f)  =  minedge{g)  =  {p,q),  by  precondition. 

3.  rootchangedi  f)  =  true,  by  precondition. 

4.  rootchanged{g)  =  true,  by  precondition. 

5.  A  CONNECt(/)  message  is  in  cqueue{k),  for  some  external  link  k  of  /,  by  Claim 

3. 

6.  A  connect!  1)  message  is  in  cqueue{{p,q)),  by  Claims  2,  5  and  CON-D. 

7.  A  coNNECT(m)  message  is  in  cquev.e{k),  for  some  external  link  k  of  g,  by  Claim 

4. 

8.  A  CONNECT(m)  message  is  in  cqueue{{q,p)),  by  Claims  2,  6  and  CON-D. 

9.  /  =  level(f),  by  Claim  5  and  CON-D. 

10.  Ill  —  Ir.vdig),  by  Claim  7  and  CON-D. 

11.  level(f)  <  level{g),  I^y  Claim  2  and  COM- A. 

12.  leveliq)  <  level{f),  l)y  Claim  2  and  C^OM-A. 
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13.  level(f)  =  level(g),  by  Claims  11  and  12. 

14.  /  =  m,  by  Claims  9,  10  and  13. 

15.  No  CHANGEROOT  message  is  in  cqueue({q,p)),  by  Claim  1  and  CON-C. 

16.  Exactly  one  connect  message  is  in  cqueue{{q,p)),  by  Claims  7,  8  and  CON-D. 

If  C0NNECT(/)  is  in  cqueueg({q,p)),  then  let  ^  =  ChannelSend({q,p),co>}- 
NECT(/)).  If  CONNECt(/)  is  in  cqueuegp{{q,p)),  then  let  t/>  =  ChannelRecv{{q,p), 
CONNECt(/)).  If  C0NNECT(/)  is  in  cqueuep({q,p)),  then  let  xp  =  Merge(f,g).  It  is 
easy  to  see  in  all  cases  that  xp  is  enabled  in  s  and  {s,xp)  e 

(2)  Suppose  {s' ,Tr,  s)  is  a  step  of  CON,  s'  is  reachable  and  in  E^,  (s' ,1?)  ^  X,^, 
and  s  E  Eg,. 

(a)  The  only  actions  that  can  increase  Vg,  are  ComputeMin{g),  and  Changc- 
R.oot{g).  (Even  though  ChannelSend{{q,p) ,m)  would  increase  y,  it  would  simulta¬ 
neously  decrease  x.)  By  Claim  2,  CompuieMin{g)  is  not  enabled  in  s' .  By  Claim  4, 
ChangeRoot{g)  is  not  enabled  in  s' . 

(b)  Suppose  is',7r)  E  '^■p.  Since  {s',ir)  ^  Xg,,  tt  ^  Merge{f,g).  Obviously,  the 
other  two  choices  for  xp  decrease  Vg,. 

(c)  Suppose  (5',7r)  ^  xp  is  enabled  iia  s'  and  is',xp)  E  'i’p.  We  show  xp  is 
enabled  in  s  and  (s,xp)  E  If  xp  =  ChannelSend  or  ChannelRecv,  then  it  can  only 
be  disabled  by  occurring.  If  ^  =  Merge{f,g),  then  since  s  E  Eg,,  xp  is  still  enabled 
in  s  (by  the  argument  in  part  (1)).  In  all  ra.ses,  {s,xp)  E 

ii)  p  is  Absorb(f,g).  Let  (q.p)  —  Tiiinlink{g).  Let  be  the  set  of  all 
pairs  (s,  xp)  of  reachable  states  s  of  CON  and  actions  V’  of  CON  enabled  in  s. 
such  that  xp  E  {ChannelSend{{q,p),connECT{l)),  ChannelRecv({q,p),COEi'NECT{l)), 
Absorb  {f,g)}. 

For  reachable  state  s  of  CON,  let  Vg{s)  =  (x,y),  where  x  is  the  number  of 
messages  in  cquexitq({q,p))  in  s,  and  y  is  the  number  of  messages  in  cqxicxiegp{{q,p) ) 
in  s. 

(1)  Suppose  .s  is  a  reachable  state  of  CON  in  Eg.  We  show  that  there  is  a  p 
enabled  in  s  such  that  {s,xj>)  E  ^g. 

Claims  about  s: 

1.  level{g)  <  leve.l[  f),  i)y  prcccjndition. 
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2-  {^■>p)  =  minlink{g),  by  assumption. 

3.  /  =  fragment(p),  by  precondition. 

4.  rooichanged(g)  =  true,  by  precondition. 

5.  A  connect(/)  message  is  in  cqueue{k),  where  A;  is  an  external  link  of  g,  by  Claim 
4. 

6.  A  connect(I)  message  is  in  cqueue{{q,p)),  by  Claims  2,  5  and  CON-D. 

7.  No  CHANGEROOT  message  is  in  cqueue{{q,p)),  by  Claims  5  and  6  and  CON-C. 

If  connect(/)  is  in  cqueueq({q,p)),  then  let  ?/>  =  Channels end{(q,p),coN- 
nect(/)).  If  connect(/)  is  in  cqueueqp({q,p)),  then  let  ip  =  ChannelRecv({q,p), 
connect(/)).  If  connect(I)  is  in  cqueuep({q,p)),  then  let  ip  =  Absorb{f,g).  In  all 
causes,  it  is  easy  to  see  that  ip  is  enabled  in  s  and  {s,ip)  6 

(2)  Suppose  {s' ,  TT,  s)  is  a  step  of  CON,  s'  is  reachable  and  in  E^,  (s^  tt)  ^ 
and  s  G  E^. 

(a)  The  only  actions  that  can  increase  are  ComputeMin{g),  and  Change- 
Rooi{g).  (Even  though  Channels end{{q, p) ,m)  would  increase  y,  it  would  simulta¬ 
neously  decrease  x.)  By  Claim  2,  ComputeMin{g)  is  not  enabled  in  s'.  By  Claim  4, 
ChangeRootig)  is  not  enabled  in  s'. 

(b)  Suppose  (s',7r)  €  ^'<,5.  Since  (s',7r)  ^  tt  ^  Ab3orb{f,g).  Obviously,  the 
other  two  choices  for  ip  decrease  v^,. 

(c)  Suppose  (s',7r)  ^  ip  is  enabled  in  s'  and  {s',  ip)  G  We  show  ip  is 
enabled  in  s  and  {s,ip)  G  li  ip  =  ChannelSend  or  ChannelRecv,  then  it  can  only 
be  disabled  by  occurring.  U  ip  =  Absorb{f,g),  then  since  s  G  E^,  ip  is  still  enabled 
in  s  (by  the  argument  in  part  (1)).  In  all  cases,  {s,ip)  G  ’I'v>  by  definition. 

iii)  is  ChangeRoot(f).  Let  '5,^  be  the  set  of  all  pairs  {s,ip)  of  reach¬ 
able  states  s  of  CON  and  actions  ip  of  CON  enabled  in  s,  such  that  ip  G 
{  Receive  ChangeRooi{  {q,  p)),  ChannelScnd{  {q,  p),  CHANGEROOT),  ChannelRecv  {{q,p) 
CHANGEROOT)  :  p  G  nodes{f)}  U  {  Change Root{f)}. 

For  reachable  state  s  of  CON,  let  u^o(s)  be  a  triple  defined  as  follows.  If  there 
IS  no  CHANGEROOT  message  in  subtrce{f)  in  s,  then  Uy,(s)  is  (0,0,0).  Suppose,  in  s, 
there  is  a  CHANGEROOT  message  in  cqueue{{q,p)),  where  p  G  nodes{f).  Then  v^{s) 
is: 

1.  the  number  of  nodes  in  the  path  in  subtree{f)  from  p  tf)  in.innode{f)  in  s  (counting 
(h<'  endi)oints  p  and  minnode(  f  ))\ 
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2.  the  number  of  changeroot  messages  in  cqueuer{{r,t)),  for  all  f  e  nodes(f)  in 
s\  and 

3.  the  number  of  CHANGEROOT  messages  in  cqucv.tri{{r,t)),  for  all  t  G  nodes{f)  in 

s. 

(By  CON-B  and  CON-C,  there  is  only  one  changeroot  message  in  subtree{  f). 
By  COM-G,  HI-A  and  HI-B,  there  is  a  unique  path  in  subtree{f)  from  p  to 
Tninnode(f).  Thus,  v^^is)  is  well-defined.) 

(1)  We  show  that  if  s  is  a  reachable  state  of  CON  in  then  there  is  a  V' 
enabled  in  s  such  that  (5,1/))  G 

Claims  about  s: 

1.  rootchanged{f)  =  false,  by  precondition  of  (p. 

2.  minlink(f)  ^  nil,  by  precondition  of  <p. 

If  lnode5(/)l  =  1  (i.e.,  subtree(  f)  =  {p}.  for  some  p),  then  let  xl>  =  Change- 
Root(f).  Obviously,  rp  is  enabled  in  .■^  and  (.9,  d')  €  Now  suppose  \nodes{f  )\  >  1. 

3.  minnode{f)  ^  root{f),  by  Claims  1  and  2  and  CON-B. 

4.  Exactly  one  changeroot  message  is  in  cqueue{{q,p)),  for  some  (p,  g)  G 
subtree(f),  by  Claims  1  and  2  and  CON-B. 

5-  (9)P)  ^  core(f),  by  Claim  4  and  CON-C. 

6.  No  CONNECT  message  is  in  cqueue{{q,p)),  by  Claim  5  and  CON-E. 

If  the  CHANGEROOT  message  is  in  cqueueg{{q,p}),  then  let  ip  =  Channel- 
Send{{q,p),  CHANGEROOT),  If  the  changeroot  message  is  in  cqueuegp{{q,p)), 
then  let  ip  =  ChannelRecv{{q,p) ,  changeroot).  If  the  CHANGEROOT  message  is 
in  cqueuep({q.p)),  then  let  4’  =  Reci  iveChangeRoot{{q,  p)).  In  all  three  cases,  ip  is 
enabled  in  s  because  of  Claims  4  and  6.  By  definition,  (s,  d>)  G  'I'^. 

(2)  Suppose  (s'.TT.s)  is  a  step  of  CON  such  that  s'  is  reachable  and  in  E^. 
(ii',7r)  ^  and  s  G  E^. 

(a)  We  show  that  if  (s',  n)  0  then  f’^(s)  =  'i’y(.s').  Together  with  (b)  below, 
it  implies  that  v^(s)  <  n^(.s'). 

Since  minUnk{f)  ^  nil  in  s',  tv  ^  Com,putr.Min( f).  Since  rootc.hange.d(f  )  — 
false  in  s',  tt  Merge(  f,  g),  Mc.rge{g,  f),  or  Absorbig,  f)  for  any  g. 
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Suppose  TT  =  Absorb{f,g).  First  we  show  that  minnode{f)  is  unchanged.  By 
COM-A,  level(h)  >  level(f),  where  h  =  fragment(target(minlink(f)))]  by  precon¬ 
dition  of  Absorb{f,g),  h  ^  g,  and  thus  wt{minlink{f))  <  wt{minlink(g)).  Also  by 
COM-A,  minlink{g)  is  the  minimum-weight  external  link  of  g.  Thus  minlink{f)  does 
not  change.  Second,  we  show  that  no  changeroot  message  is  in  subtree(g).  By  pre¬ 
condition  of  Absorb{f,g),  rootchanged{g)  =  true.  Then  by  CON-C,  no  changeroot 
message  is  in  subtree{g). 

No  other  value  of  tt,  such  that  (s',7r)  ^  affects  v^. 

(b)  Suppose  (3',7r)  6  We  show  u<^(s)  <  v,^(s'). 

If  TT  =  ChannelSend{{q,  p) ,  chai^GEROOt),  then  the  second  component  of  de¬ 
creases  while  the  first  remains  the  same.  If  tt  =  ChannelRecv({q,  p) ,  changeroot), 
then  the  third  component  of  v,^  decreases  while  the  first  two  remain  the  same. 

Suppose  TT  =  ReceiveChangeRooi({q,p)).  By  CON-C  and  CON-B  there  is  ex¬ 
actly  one  CH.A.NGEROOT  message  in  subtree{f).  Since  (s,  tt)  ^  X^,  p  ^  minnode{f). 
Thus,  the  first  component  of  v^{s')  is  at  least  1.  The  first  component  of  decreases 
by  1  in  s,  by  definition  of  tominlink(p).  Thus  v,^(s)  <  v^(s'). 

(c)  Suppose  (s',7r)  ^  V’  is  enabled  in  s',  and  (s',i/))  G  We  show  ip  is 
enabled  in  s,  and  (s,ip)  E 

Suppose  Ip  =  Chang eRoot{f). 

Claims  about  s' : 

1.  rooichanged{f)  =  false,  by  precondition  of  ip. 

2.  minlink{f)  ^  nil,  by  precondition  of  V’- 

3.  suhtree{f)  =  {p},  by  precondition  of  (/’. 

4.  No  CHANGEROOT  message  is  in  cqueue({q,p))  for  any  q,  by  Claim  3  and  CON-C. 

5.  ComputeMin{f)  is  not  enabled,  by  Claim  2. 

6.  Merge{  f,g),  Merge{g,  f),  and  Absorb(g,  f)  are  not  enabled  for  any  g,  by  Claim 

1. 

7.  Rer.eiveChangeRoot({q,  p))  is  not  enabled  for  any  q,  by  Claim  4. 

By  Claims  5.  6  and  7,  tt  is  no  action  tliat  can  disal)le  ip\  hence,  ip  is  enabled  in 
s.  By  definition,  (s,ip)  E 


185 


Section  4.3.6:  GHS  is  Equitable  for  TAR 


Suppose  tp  =  Recei.veChangeRoot({q,p)),  Chan7i.elScnd({q,  p) ,  c\{  \  t<(u:ROOT ),  or 
C/mnn(;/iie<;u(((/,p), CIIANGEHOOT).  The  only  action  that  can  clisal)le  i/>  is  »/’  itself. 
Thus,  Ip  is  enabled  in  s  and  {s,ip)  G 

4.3.6  GHS  is  Equitable  for  TAR 

The  interesting  arguments  are  for  showing  GHS  is  equitable  for  SendTesi{p), 
and  for  ChangeRoot{f)  when  subtree[f)  is  a  singleton  node.  For  SendTcst{p),  we 
show  that  an  iNiTlATE-find  message  eventually  reaches  p.  The  big  effort  is  for  the 
ChangeRoot{f).  We  must  show  that  eventually  every  node  will  be  awakened,  either 
by  a  Start  action,  or  by  the  receipt  of  a  CONNECT  or  TEST  message.  This  requires 
a  global  argument  about  the  entire  graph.  This  is  another  place  in  which  the  state 
component  of  in  the  definition  of  progressive  is  needed,  since  it  is  possible  for  a 
message  to  be  requeued,  leaving  the  state  unchanged. 

Lemma  32:  GHS  is  equitable  for  TAR  via  AAtar- 

Proof;  We  show  that  GHS  is  equitable  for  each  locally- controlled  action  p  of 
TAR  via  M.tar-  First,  a  point  of  notation:  let  Receive{{q^p),m)  be  a  syn¬ 
onym  for  Rece.iveConnect{{q,p),l)  if  m  =  connect(/),  a  synonym  for  Recewe- 
Initiate{{q,p),l,c,st)  if  m  =  initiate(/,c,  st),  etc. 

By  Corollary  26,  Pqps  every  reachable  state  of  GHS.  Thus,  in  the 

sequel  we  will  use  the  HI,  COM,  GC,  TAR,  DC,  NOT,  CON  and  GHS  predicates. 

i)  ip  is  InTree(l)  or  NotlnTree(l).  By  Lemma  5,  we  arc  done. 

ii)  p  is  ChannelSend((q,p),m).  We  show  that  GHS  is  progressive  for  p  via 
Mtar-  Lemma  6  gives  the  result. 

Let  be  the  set  of  all  pairs  (s,t/>)  of  reachable  states  .s  of  GHS  and  actions 
C’  of  GHS  enabled  in  .s  such  that  m'  is  the  message  at  the  head  of  queue, i({q,p))  in 
s,  and  7p  =  ChannelSend{{q,p),Tn'). 

For  reachable  state  ,s,  let  v^(s)  be  the  numl>er  of  messages  in  queue ,^{{q,p)) 
ahead  of  the  message  at  the  head  of  tarq7ieue,i({q,p)). 

Verifying  tlu'  progrc'ssive  conditions  is  straiglitforward. 

iii)  p  is  ChannelRecv((q,p),m),  W(‘  show  that  GHS  is  ])rogressiv<'  for  y 
via  Mtar-  Lemma  6  gives  the  result. 
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Let  be  the  set  of  all  pairs  (s,  xp)  of  reachable  states  s  of  GHS  and  actions 
xp  of  GHS  enabled  in  s  such  that  m'  is  the  message  at  the  head  of  queueqp({q,p}) 
in  s,  and  xp  =  ChannelRecx){{q,p),m'). 

For  reachable  state  s,  let  v^{s)  be  the  number  of  messages  in  queueqp{{q,p)) 
ahead  of  the  message  at  the  head  of  tarqueueqp{{q,p)). 

Verifying  the  progressive  conditions  is  straightforward. 

iv)  ip  is  ReceiveTest({q,p},l,c),  ReceiveAccept((q,p)),  or  Receive- 
Reject((q,p)).  We  show  that  GHS  is  progressive  for  p  via  M.tar-  Lemma  6 
gives  tlie  result. 

Let  be  the  set  of  all  pairs  {s,xp)  of  reachable  states  s  of  GHS  and  actions 
xp  of  GHS  enabled  in  s  such  that  xn'  is  the  message  at  the  head  of  queuep{{q,p))  in 
s,  and  xp  —  Receive({q,p),m). 

For  reachable  state  s,  let  u<^(3)  be  the  number  of  messages  in  queutp{{q,p)) 
ahead  of  the  message  at  the  head  of  iaTqueuep{{q^p)). 

Verifying  the  progressive  conditions  is  straightforward. 

v)  p  is  SendTest(p).  We  show  that  GHS  is  progressive  for  p  via  Mtar- 
Lemma  6  gives  the  result. 

Let  be  the  set  of  all  pairs  (s,  tt)  of  reachable  states  s  of  GHS  and  actions  xj) 
of  GHS  enabled  in  s  such  that  one  of  the  following  is  true:  (Let  /  =  fragment{p).) 

•  C0NNECT(/)  is  in  queue{{q^r)),  where  (9, r)  =  core{f)  and  p  G  sxibtree{q),  m  is 

any  message  in  queue({q,  r})  that  is  not  behind  the  connect(I)  in  .s,  and  xl>  E 

{  Channels end{{q,  r),m),  ChannelRecv{ {q,  r),m),  Receive{{q,  r),xn)}. 

•  An  initiate(1,  c,find)  message  in  quexie{{t,u))  is  headed  toward  p  and  m  is  any 

message  in  queue{(t,u))  that  is  not  behind  the  initiate(/,  c,find)  in  s,  and  xp  E 

{  Channels end{{t^  n),  m),  ChannelRecv{{t ,  u),m),  Receive{{t,  it),  m)}. 

For  reachable  state  s,  Vq,(s)  is  a  7-tuple  with  the  following  components. 

If  no  CONNECT  is  in  quexie({q,r)),  where  ((7,r)  =  core{f)  and  p  E  subtreeiq)  in 
.■i,  then  components  1  through  3  are  0.  Supj)ose  otherwise.  By  CON-D  and  CON-E, 
there  is  only  one  connect  message  in  qxieue{{q,x')). 
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1.  The  number  of  messages  in  quetceg{(q,7-))  that  are  not  behind  the  connect. 

2.  The  number  of  messages  in  queueqr{{q,7'))  that  are  not  behind  the  connect. 

3.  The  number  of  messages  in  q7icuer{{q,i'))  that  are  not  behind  the  c:onnect. 

If  no  lNlTlATB(/,c,find)  is  headed  toward  p,  then  components  4  through  6  are 
0.  By  DC-S,  there  is  at  most  one  such  me.ssage.  Suppose  such  a  message  is  in 
queue{{t,  u)). 

4.  The  number  of  nodes  on  the  path  in  s7Lbtree{f)  from  u  to  p,  including  the 
endpoints. 

5.  The  number  of  messages  in  queuet({t,u))  that  are  not  behind  the  initiate(/,  c. 
find). 

6.  The  number  of  messages  in  queuetu{{t,u))  that  are  not  behind  the  initiate(/,  c, 
find). 

7.  The  number  of  messages  in  queueu({t-,u))  that  are  not  behind  the  initi.ate(/,  c. 
find). 

(1)  Let  s  be  a  reachable  state  of  GHS  in  E^,.  Tims,  p  G  tesUe.tlf)  and 
iesilinkip)  =  nil.  By  the  definition  of  testset(f).,  cither  a  find  message  is  headed 
toward  p  in  some  queue{{q,r)),  or  a  connect  message  is  in.  queue({q,r)),  where 
{q,r)  =  core{f)  and  p  G  subtree{q).  In  either  case,  let  m  be  the  message  at  the 
head  of  que7i*>({t,ti)).  Let  »/>  be  Chn.nneISe.nd{{q.,r) .,m)  if  m  is  in  queue q{{q.,r))\  let 
i/)  be  ChannelRecv{{q,r),m)  if  m  is  in  queueqr{{<ii‘<'))'i  let  4’  t)e  Receive{{q,i').,m)  if 
in  is  in  queuer({q,r)).  Obviously,  ip  is  enabled  in  s  and  (s,  tp)  G  'I',,,. 

(2)  Let  (.s',7r,s)  be  a  step  of  GHS,  s'  be  reachable  and  in  E^,,  {s',n)  ^  X.^, 
and  s  G  E^,. 

(a)  We  show  that  if  (s',  tt)  ^ then  t,^(s')  =  ^,^(5);  together  with  (b)  below, 
this  is  enough.  We  consider  all  the  ways  that  v.^,  could  change. 

Can  a  connect  be  added  to  queue({q.r)),  with  iq.r)  =  core(f)  by  tt?  By 
COM-F,  ip,q)  G  .lubtree(f),  so  by  TAR-A(b),  hiatu.‘<{{q,r))  =  branch.  Yet  by 
inspecting  the  code,  we  see  that  connec  t  is  only  added  to  a  queue  if  its  hiatus  is 
not  branch,  or  if  the  source  node  is  sleeping,  in  which  case  GHS-A(c)  implies  that 
the  hiatus  is  not  branch. 

Since  we’ve  assumed  (s',  tt)  ^  no  co.vnect  can  be  removed  from  the  lele- 
vant  queue. 

For  a  given  fragment  /.  r.ore{  f)  never  changes. 
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Can  the  identity  of  fragment{p)  change?  Since  p  G  testset{f)  by  the  precon¬ 
dition  of  </?,  minlink{f)  =  nil  in  s'  by  GC-C.  Thus  no  Absorb{g,  f),  Merge{f,  g)  or 
Merge{g,  f)  is  enabled  in  s'. 

The  number  of  messages  in  the  same  queue  as  the  relevant  connect  message 
but  not  behind  it  cannot  change,  because  the  queues  are  FIFO  (and  (s',7r)  ^ 

Can  a  relevant  initiate  message  be  added?  The  only  way  it  can  is  if  either 
a  CONNECT  message  in  queue{{q,r))  with  {q,r)  =  core{f)  and  p  €  subtree(q)  is 
received,  or  if  the  same  initiate  message  headed  toward  p  is  received.  Since  (s',  tt)  ^ 

TT  is  neither  of  these  actions. 

Can  the  path  from  u  to  p  change,  where  an  INITIATe(/, c,find)  is  in  queue({t,  u)) 
headed  toward  p?  By  definition  of  headed  toward  and  HI- A  and  HI-B,  there  is  a 
unique  path  from  u  to  p  in  s' .  Since  HI- A  and  HI-B  are  also  true  in  s  and  since  the 
minimum  spanning  tree  is  unique  (by  Lemma  10),  the  same  unique  path  from  u  to 
p  exists  in  s. 

The  number  of  messages  in  the  same  queue  as  the  relevant  initiate  message 
but  not  behind  it  cannot  change,  because  the  queues  are  FIFO  (and  (s', it)  ^ 

(b)  It  is  easy  to  check  that  U(^(s)  <  v.^{s')  if  (s',7r)  G 

(c)  No  action  V’  such  that  (s',^/’)  G  can  become  disabled  in  s  without 
occurring,  since  the  queues  are  FIFO. 


d 
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vi)  if  is  ComputeMin(f).  We  show  that  the  hypotheses  of  Lemma  7  are 
satisfied  to  get  the  result. 

Let  A  =  GHS,  B  =  TAR,  C  =  DC,  D  =  GC,  and  p  =  ComputeMinif)  in  the 
hypotheses  of  Lemma  7.  h 

r 

(1)  If  e  is  an  execution  of  GHS,  then  by  Lemmas  1  and  25,  Mdc{^)  is  an 
execution  of  DC. 


(2)  Let  s  be  a  reachable  state  of  TAR.  If  q?  is  enabled  in  StarIs),  then  as 
argued  in  Section  4.2.3  (TAR  to  GC),  q>  is  enabled  in  Sz{Star[^))-  By 

the  S's  are  defined,  SsiS/  ARi^))  =  S4(Spc(  ‘>)),  so  p  =  </?  is  enabled  in  <S4(5Dr;(-‘^))' 

(3)  Suppose  (s',  TT.s)  is  a  step  of  GHS  and  s'  is  reachable.  If  <p  is  not  in 

>^7  .  tt),  then  p  is  not  in  M^iM  oci^' by  inspection. 
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(4)  DC  is  progressive  for  p  via  ^^4,  using  ^ and  Cp,  by  Lemma  30. 

(5)  Let  rp  be  such  that  {t,ip)  €  'Lp  for  some  t.  Possible  values  of  tp  are 
Channels end{l,  REPORT(re)),  ChannelRecv{l,\iKPOKr{w)),  and  Receive Report{lpw). 
Essentially  the  same  arguments  as  in  n'),  in)  and  iv)  show  that  GHS  is  progressive 
for  ip. 

vii)  is  ChangeRoot(f)  and  subtree(f)  is  not  {p}  for  any  p.  We  show 
that  the  hypotheses  of  Lemma  7  are  satisfied  to  get  the  result. 

Let  A  =  GHS,  B  -  TAR,  C  =  CON,  D  =  COM,  and  p  =  ChangeRoot{f)  in 
the  hypotheses  of  Lemma  7. 

(1)  If  e  is  an  execution  of  GHS,  then  by  Lemmas  1  and  25,  McoN{e)  is  an 
execution  of  DC. 

(2)  Let  s  be  a  reachable  state  of  TAR.  Suppose  ip  is  enabled  in  Star{s)-  As 
argued  in  Section  4.2.3  (TAR  to  GC),  p  is  enabled  in  S3(Star{^))-  As  argued  in 
Section  4.2.2  (GC  to  COM),  p  is  enabled  in  oi(Sz{Star{s))).  By  the  way  the  <S’s 
are  defined,  S2(Si(STAR(^)))  =  S(,(Scon(^)),  so  p  =  p  is  enabled  in  •SeC'^co.vfs)). 

(3)  Suppose  (s',7r,s)  is  a  step  of  GHS  and  s'  is  reachable.  If  p  is  not  in 
Atar{s',  ^),  then  p  Is  not  in  AdefAf  co.v(s'7rs))  by  inspection. 

(4)  CON  is  progressive  for  p  via  M^,  using  ^'p  and  Vp,  by  Lemma  31. 

(5)  Let  p  be  .such  that  (t,rp)  €  4'p  for  some  t.  Possible  values  of  p- 
are  Channels end(l,  CHANCEROOt),  ChannelR.ecv{l,CHA^GEKOOi:),  and  Receive- 
ChangeRooi(l).  Essentially  the  same  arguments  as  in  n).  hi)  and  iv)  show  that 
GHS  is  progressive  for  ip. 

viii)  p  is  ChangeRoot(f),  subtree(f)  is  {p}  for  some  p.  We  show  that 
GHS  is  progressive  for  p  via  Mtar-  Lemma  G  gives  the  result. 

Let  'I'.p,  be  the  set  of  all  pairs  {s,il')  of  reachable  states  s  of  GHS  and  internal 
actions  ih  of  GHS  enabled  in  .s  such  that  none  of  the  following  is  true: 

•  xp  —  R,eceiveConnect({q.r),  1)  for  some  7.  r  and  /.  and  in  .s,  nstatus(r)  ^ 

sleeping.  /  >  nlevel{r),  Utatus({r,(i))  =  unknown,  and  only  one  message  is 

in  qneii.eriig,!-)). 

•  t’  —  R,eceiveTesi({q.  r) .1  .c)  for  some  q.  1.  I  and  r.  and  in  .s,  71. at loir)  ^ 

sleeping.  /  >  nlr.vcl{r),  and  only  one  nu'ssage  is  in  qnev.e,.{{q.  r)). 
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•  V’  =  /2ecei'wei2eport((5,  r),  ui)  for  somv?  g,  r  and  u),  and  in  a,  inbranch{r)  =  {q,r), 
nstatus{r)  =  find,  and  only  one  message  is  in  queuer{{q^r)). 

For  reachable  state  s,  let  U(^(.s)  be  the  following  tuple: 

1.  The  number  of  fragments  in  s. 

2.  The  number  of  fragments  g  with  rootchanged{g)  =  false  in  s. 

3.  The  number  of  fragments  g  with  minlink{g)  —  nil  in  s. 

4.  The  number  of  nodes  q  6  V’(G)  such  that  q  6  iestset{fragment{q)). 

5.  The  summation  over  all  q  6  V(G)  of  level{fragment{q))  —  nlevel{q). 

6.  The  summation  over  all  q  e  V{G)  of  findcount{q). 

7.  The  number  of  links  {q,r)  such  that  either  lstatus({q,r))  =  unknown,  or  cise 
lstatus{{q,r))  =  branch  and  there  is  a  protocol  message  for  {q,r). 

8.  The  number  of  links  {</,  r)  such  that  no  ACCEPT  or  reject  is  in  queue((q,r)). 

9.  The  summation  over  all  fragments  g  such  that  a  changeroot  is  in  some 
queue((q,r))  of  suhtree{g)  of  the  number  of  nodes  in  the  path  in  subtree{g)  from 
7'  to  minnode[g). 

10.  The  number  of  fragments  g  such  that  AfteTMerge{q,r)  for  DC  is  enabled  for 
some  q  6  nodes{g). 

11.  The  number  of  messages  in  queueq{{q,r))^  for  all  (g,  r)  €  L{G). 

12.  The  number  of  messages  in  queuegri{q.,r)),  for  all  (g,r)  £  L{G). 

13.  The  number  of  messages  in  queuer({q,r)),  for  all  (g,r)  £  L{G). 

14.  The  number  of  messages  in  queueri{q,r))  that  are  behind  a  CONNECT  or  TEST, 
for  all  (g,r)  £  L{G). 

(1)  Let  s  be  a  reachable  state  of  GHS  in  E^p.  We  now  demonstrate  that  some 
action  Tp  is  enabled  in  s  with  {s,7p)  £ 

By  preconditions  of  awake  =  true,  minlink{f)  ^  nil  and  rootchanged{f)  ~ 
false  in  s.  By  GHS-K,  nstatiis{p)  =  true  in  s.  But  since  awake  =  true,  there  is  some 
nocie  q  such  that  nstatus{q)  ^  sleeping.  Thus  A,  the  set  of  all  fragments  g  such  that 
nstaius{q)  ^  sleeping  for  some  q  £  no(les{g),  is  non-empty.  Let  I  be  the  minimum 
level  of  all  fragments  in  A,  and  let  Aj  =  {</  €  A  :  level{g)  =  /}• 

The  strategy  is  to  use  a  case  analysis  aa  follows.  For  each  case,  we  show 
that  there  is  some  queue{{q,i’))  with  some  message  m  in  it  in  s.  Let  4’  be 
chosen  as  follows.  If  some  message  ni'  is  at  the  head  of  gweue,((g, ?•)),  let 
(/’  =  ChannelSend({q,r-),ni').  If  no  message  is  in  queueq{{q,r))  and  some  mes¬ 
sage  in'  is  at  the  head  of  queuCqr{{q,r)),  let  0  =  ChannelSend{{q,i') ,ni').  If  no 
message  is  in  (jueiieq{{q.r))  or  qir.ueqAiq,  r)),  [,ucn  at  least  one  message,  namely  m. 
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is  in  queuer{{q,r)y,  let  i/’  =  Receive{{qyp) ,m'),  where  m'  is  the  message  at  the  head 
of  queueriiq,  r))- 

For  each  choice,  xp  is  obviously  enabled  in  s.  There  are  two  methods  to  verify- 
that  G  'I'v’-  Method  1  is  to  show  that  m  is  not  connect,  test  or  report. 

Then,  ii  ip  =  Receive{{q,  r),m')  and  m'  is  connect,  test  or  report,  there  is  more 
than  one  message  in  queuer({q,r)).  Method  2  is  to  show  that  some  variable  in  s 
has  a  value  such  that  even  if  ip  =  Receive{{q,r),m'),  where  m'  is  CONNECT,  test 
or  REPORT,  we  have  that  {s,ip)  G 

Case  1:  There  is  a  fragment  g  £  Ai  with  testset{g)  ^  0.  Let  q  be  some  element 
of  iest3ei{g).  By  definition  of  te3isei(g),  Cases  1.1,  1.2  and  1.3  are  exhaustive. 

Case  1.1:  A  connect(/)  message  is  in  queue(r,t),  where  (?%<)  =  core(g)  and 
q  G  subtree{r)  in  s.  We  use  Method  2.  By  COM-F,  (r,t)  G  subtree{g),  so  by 
TAR-A(b),  l3tatus({t,r))  =  branch. 

Case  1.2:  An  initiate(/,  c,find)  message  is  in  some  queue{{r,t))  headed  toward 
q  in  s.  By  Method  1,  we  are  done. 

Case  l.S:  tesilink{q)  ^  nil  in  s.  By  TAR-C(a),  testlink{q)  =  {q,r)  for  some  r. 
By  TAR-C(c),  there  is  a  protocol  message  for  (?,  r). 

Case  1.3.1:  The  protocol  message  is  an  accept  or  reject  in  queue{{r,q)).  By 
Method  1,  we  are  done. 

Case  1.3.2:  The  protocol  message  is  TEST(r,c)  in  queue{{q,r)).  Thus  Istatus 
{{q,r))  ^  rejected.  By  TAR-E(b),  V  =  1.  If  nstatus{r)  —  sleeping  or  I  <  nlevel{r), 
we  are  done,  by  Method  2.  Suppose  nstatus{r)  ^  sleeping  and  I  >  nlevel{r).  By 
definition  of  Ai,  I  <  level{fragmeni(r)),  and  thus  nlevel{r)  <  level{fragment{r)).  By 
NOT-G,  either  a  'iiOT\¥Y{level{fTagment{r))  message  is  in  some  queue{{t,  u))  headed 
toward  r,  in  which  case  we  are  done  by  Method  1,  or  AftcrMerge(t^u)  is  enabled 
for  NOT,  with  r  G  subtree{u).  In  the  latter  case,  by  GHS-L,  a  connect  is  at  the 
head  of  queue{{u,t))\  the  same  argument  as  in  Case  1.1  gives  the  result. 

Case  2:  testset{g)  =  0  for  all  g  G  A/. 

Case  2.1:  There  is  a  fragment  g  in  Ai  with  minlink{g)  =  nil.  Since  g  ^  f  and 
G  is  connected,  there  is  an  external  link  of  g.  Since  testset{g)  =  0,  by  DC-D(c)  no 
find  message  is  in  subtree{g). 
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Suppose  dcstatus{q)  =  unfind  for  all  5  G  nodes{g).  By  definition  of  minlink{g), 
a  REPORT  message  is  in  some  queue{{q,r))  headed  toward  mv)-rooi{g).  We  are  done 
by  Method  2. 

Suppose  dcstatus{q)  =  find  for  some  q  G  nodes{g).  By  DC-I(b),  since 
testsei{g)  =  0,  a  REPORT  message  is  in  some  queue{{r,t))  in  subtree{q)  headed 
toward  q.  By  DC-B(a),  inbranch[t)  ^  (t,r).  We  are  done  by  Method  2. 

Case  2.2:  minUnk(g)  ^  nil  for  all  g  G  Ai. 

Case  2.2.1:  There  is  a  fragment  g  in  Ai  with  rooichanged(g)  =  false.  By  GHS- 
K,  if  subtree{g)  =  {g)  for  some  q,  then  V3tatus{q)  =  sleeping.  By  definition  of 
Aj,  subiree{g)  ^  {q}  for  any  q.  By  CON-B,  a  changeroot  message  is  in  some 
queue{{q,r))  in  subiree{g).  We  are  done  by  Method  1. 

Case  2.2.2:  rootchanged(g)  =  true  for  all  jr  G  A/.  By  CON-D,  a  connect 
message  is  in  queue(mtnlink{g))  for  all  g  G  A/. 

Case  2.2.2. 1:  There  is  a  fragment  g  in  Aj  with  minlink{g)  =  (9,^)  and 
level{fragmeni{r))  >  1. 

If  nlevel{r)  >  /,  we  are  done  by  Method  2.  Suppose  nlevel{r)  <  1.  Essentially 
the  same  argument  as  in  Case  1.3(b)  gives  the  result. 

Case  2.2.2. 2:  For  all  fragments  g  in  Aj,  l€vel{fragmeni{target{minlink{g))))  < 
1.  By  COM-A,  level(frag'ment{target{Tninlink(g))))  =  I  for  all  g  G  Ai. 

Case  2. 2. 2. 2.1:  There  is  a  fragment  g  in  Aj  such  that  minlink{g)  =  (<2,r),  and 
fragment(r)  ^  Ai-  By  definition  of  A/,  nstatus{r)  =  sleeping,  and  we  are  done  be 
Method  2. 

Case  2. 2. 2. 2. 2:  For  all  fragments  g  in  Aj,  fragment{target{minlink{g)))  G  A/. 
As  argued  in  Lemma  27,  Case  2.2.2  of  verifying  (1)  for  =  Combine^  there  are  two 
fragments  g  and  h  in  A/  such  that  minedge{g)  =  minedge{h)  —  (5,r).  By  TAR-H, 
lstahts[{r , q))  =  lstatus{{q,r))  =  branch.  By  Method  2,  we  are  done. 


(2)  Let  (.s',  TT,  s)  be  a  step  of  GHS,  where  s'  is  reachable  and  in  (s',  tt  )  ^ 
and  .s  G 
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(a)  We  show  that  if  (s'.tt)  ^  then  <v(s)  =  n^(.s');  together  with  part  (b) 
below,  this  gives  the  resnlt.  is  defined  to  include  nil  the  stnte-nction  pairs  tlinl 
change  the  state.  Thus,  if  ^  'P,^,  then  .s  =  a',  and  ()bvit)usly  e^(.s)  =  e^(.s'). 


(b)  Suppose  (s,  tt)  G  The  breakdown  of  cases  in  this  argument  is  essentially 
the  same  as  in  the  proof  of  the  safety  step  simulations  in  Lemma  25.  The  notation 
“Component  12”  in  a  case  means  that  component  12  of  decreases  in  going  from 
s'  to  s,  and  components  1  tluough  11  are  unchanged. 

•  TT  =  ChannelSend({q^r),m).  Component  11. 

•  TT  =  ChannelRecv{{q,r),m).  Component  12. 

•  TT  =  ReceiveConnect{{q,r),!). 

Case  1:  nstatus{r)  =  sleeping  in  s'.  If  (9,r)  is  not  the  minimum-weight  external 
link  of  r,  then;  component  2.  Otherwise,  component  1. 

Case  2:  nstatus{r)  ^  sleeping,  I  =  nlevel{r)  and  no  connect  is  in  queue{{r,q)) 

in  s'. 

Suppose  lstatus{{r,q))  =  unknown.  Since  (s',7r)  G  another  message  is  in 
queue{{q,  r)).  By  CON-D,  CON-E  and  GHS-C,  the  other  message  is  not  a  connect 
or  TEST.  Component  14. 

Suppose  lstatus{{r,q))  ^  unknown.  Since  DC  simulates  AfterMerge{r.,q),  nei¬ 
ther  AfterMerge(r,q)  nor  AfterMerge{q,r)  is  enabled  in  s.  Component  10. 

Case  S:  nstatus{r)  ^  sleeping,  I  =  nlevel{7-),  and  CONNECT  is  in  queue{{r,q)) 
in  s'.  Component  1. 

Case  4:  nstatus{r)  ^  sleeping  and  I  <  nlevel{r)  in  s'.  Component  1. 

•  TT  =  Receivelnitiate({q,r),l,c,st).  By  NOT-H(a),  I  >  nlevel{r).  Component  5. 

•  TT  =  Receiv€Test{{q,r),l,c).  Let  g  =  fragmeni{r). 

Case  1:  nsiatus{r)  =  sleeping  in  s'.  Component  2. 

Case  2:  nstatus{r)  ^  sleeping  in  s'. 
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Case  2.1:  I  <  level(g),  and  either  c  ^  core(g)  or  testlink(r)  ^  in  s'.  If  an 
ACCEPT  is  added,  then  component  8.  If  a  reject  is  added,  then  either  component 
7  or  component  8. 


Case  2.2:  1  <  level(g).,  c  =  core(g),  and  iesilink{r)  =  {r,q)  in  s' .  If  there  is  no 
link  (r,  t),  t  ^  9,  with  lstatus{{r,t))  =  unknown,  then  component  4.  If  there  is  such 
a  link,  then  component  7. 


Case  2.S:  1  >  level(g)  in  s'.  Since  (a,7r)  €  there  is  another  message  in 
queuer{{q,r)).  By  TAR-C(c)  and  GHS-C,  the  other  message  is  not  connect  or 
TEST.  Component  14. 


TT  =  ReceiveAccept(langleq,r)).  Component  4. 


TT  =  ReceiveReject({q,  r)).  If  there  is  no  link  (r,t},  i  ^  q.,  with  lstatus({r,t))  = 
unknown,  then  component  4.  If  there  is  such  a  link,  then  component  7. 


•  IT  =  ReceiveRepoTt({q,r),w). 


Case  1:  {q,r)  =  core{g),  nsiatus{r)  ^  find  and  w  >  bestwt{r)  in  s'.  If 
lstatv.s{bestlink{r))  =  branch,  then  component  3.  Otherwise,  component  2. 


Case  2a:  (q^r)  ^  core{g)  in  s'.  If  inbranch(r)  =  {r,q),  then  component  13. 
Otherwise,  component  6. 


Case  2b:  (q,r)  =  core{g)  and  nstatus{r)  =  find  in  s'.  The  only  change  is 
that  the  report  message  is  requeued.  We  show  that  there  is  no  other  message  in 
queue{{q,r)),  and  thus  (5',7r)  ^  First  note  that  by  COM-F,  {q,r)  G  subtree{g). 
By  GHS-B,  no  connect  is  in  the  queue.  By  DC-0,  no  lNmATE(*,  *, found)  is  in  the 
queue.  By  GHS-E,  no  initiate(*,  *,find)  is  in  the  queue.  By  TAR-E(a),  no  test 
or  REJECT  is  in  the  queue.  By  DC-0,  no  other  report  is  in  the  queue.  By  TAR-F. 
no  ACCEPT  is  in  the  queue.  By  CON-C,  no  changeroot  is  in  the  queue. 


Case  2c:  {q,r)  =  core(),  nstatus{r)  =  unfind,  and  w  <  bestwt{p).  Component 


•  TT  =  ReceiveChangeRoot{{q.,r)).  If  lsiatus{bestlink{r))  ^  branch,  then  compo¬ 
nent  2.  Otherwise,  component  9. 


(c)  Suppose  (s',7r)  ^  V’  is  enabled  in  s'.,  and  (s',0)  G  Since  (s',  n)  ^ 
'I'y'’  •'*  ~  Obviously,  V’  is  enabled  in  s  and  (s,V’)  ^ 


I 


if 
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ix)  >p  is  Merge(f,g).  We  use  Lemma  7.  The  same  argument  as  in  r/i),  witii 
p  —  Merge{f,g)  and  (3)  as  below,  gives  the  result. 

(3)  Let  xl'  be  such  that  €  ’5'p  for  some  t.  Possible  values  of  V’  ore 

Channels end(k,  connect(/)),  CkannelRccv(k,comECT{l)),  and  Merge{f,g).  Es¬ 
sentially  the  same  arguments  as  in  ii\  Hi)  and  iv)  show  that  GHS  is  progressive 
for  tp. 

x)  If  is  Absorb(f,g).  We  use  Lemma  7.  The  same  argument  as  in  ruz),  with 
p  =  Absorb{f.g)  and  (3)  as  below,  gives  the  result. 

(3)  Let  ^p  be  such  that  (t,v)  €  for  some  t.  Possible  values  of  4'  ore 
Channels end{k^  C0NNECT(/)),  ChannelRecv{k,COWECT(l)).  and  Absorb{f.g).  Es¬ 
sentially  the  same  arguments  as  in  zz),  z'zz)  and  iv)  show  that  GHS  is  progressive 
for  z/).  □ 

4.4  Satisfaction 

Theorem  33;  GHS  solves  MST(G). 

Proof:  By  Theorem  12,  HI  solves  MST{G).  By  Lemmas  13  and  27  and  Theorem 
8,  COM  satisfies  HI.  By  Lemmas  15  and  28  and  Theorem  8,  GC  satisfies  COM. 
By  Lemmas  17  and  29  and  Theorem  8,  TAR  satisfies  GC.  By  Lemmas  25  and 
32  and  Theorem  9,  GHS  satisfies  TAR.  Thus,  since  “satisfies”  and  “solves”  are 
defined  using  subsets  of  schedules,  GHS  solves  MST{G).  □ 
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Appendix 

In  this  Appendix,  we  review  the  aspects  of  the  model  from  [LT]  that  are  relevant 
to  this  paper. 

An  input-output  automaton  4  is  defined  by  the  following  four  components.  (1) 
There  is  a  (possibly  infinite)  set  of  states  with  a  subset  of  start  states.  (2)  There  is 
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a  set  of  actions,  associated  with  the  state  transitions.  The  actions  are  divided  into 
three  classes,  input,  output,  and  internal.  Input  actions  are  presumed  to  originate 
in  the  automaton’s  environment;  consequently  the  automaton  must  be  able  to  react 
to  them  no  matter  what  state  it  is  in.  Output  and  internal  actions  (or,  locally- 
controlled  actions)  are  under  the  local  control  of  the  automaton;  internal  actions 
model  events  not  observable  by  the  environment.  The  input  and  output  actions  are 
the  external  actions  of  A,  denoted  ext{A).  (3)  The  transition  relation  is  a  set  of 
(state,  action,  state)  triples,  such  that  for  any  state  s'  and  input  action  tt,  there  is 
a  transition  (s',7r,s)  for  some  state  s.  (4)  There  is  an  equivalence  relation  part(A) 
partitioning  the  output  and  internal  actions  of  A.  The  partition  is  meant  to  reflect 
separate  pieces  of  the  system  being  modeled  by  the  automaton.  Action  tt  is  enabled 
in  state  s'  if  there  is  a  transition  (s',w,s)  for  some  state  s. 


An  execution  e  of  A  is  a  finite  or  infinite  sequence  Soil'S!  •  •  •  of  alternating 
states  and  actions  such  that  sq  is  a  start  state,  (sj_i, tt^, s,)  is  a  transition  of  A  for 
all  i,  and  if  e  is  finite  then  e  ends  with  a  state.  The  schedule  of  an  execution  e  is 
the  subsequence  of  actions  appearing  in  e. 


We  often  want  to  specify  a  desired  behavior  using  a  set  of  schedules.  Thus  we 
define  an  external  schedule  module  S  to  consist  of  input  eind  output  actions,  and  a 
set  of  schedules  scheds(S).  Each  schedule  of  5  is  a  finite  or  infinite  sequence  of  the 
actions  of  5.  Internal  actions  are  excluded  in  order  to  focus  on  the  behavior  visible  to 
the  outside  world.  External  schedule  module  S'  is  a  sub-schedule  module  of  external 
schedule  module  5  if  5  and  S'  have  the  same  actions  and  scheds{S')  C  scheds{S). 


Automata  can  be  composed  to  form  another  automaton,  presumably  modeling 
a  system  made  of  smaller  components.  Automata  communicate  by  synchronizing  on 
shared  actions;  the  only  allowed  situations  are  for  the  output  from  one  automaton 
to  be  the  input  to  others,  and  for  several  automata  to  share  an  input.  Thus, 
automata  to  be  composed  must  have  no  output  actions  in  common,  and  the  internal 
actions  of  each  must  be  disjoint  from  all  the  actions  of  the  others.  A  state  of  the 
composite  automaton  is  a  tuple  of  states,  one  for  each  component.  A  start  state 
of  the  composition  has  a  start  state  in  each  component  of  the  state.  Any  output 
action  of  a  component  becomes  an  output  action  of  the  composition,  and  similarly 
for  an  internal  action.  An  input  action  of  the  composition  is  an  action  that  is  input 
for  every  component  for  which  it  is  an  action.  In  a  transition  of  the  composition 
on  action  tt,  <'ach  component  of  the  state  changes  as  it  would  in  the  component 
automaton  if  tt  occurred;  if  tt  is  not  an  action  of  some  component  automaton, 
then  the  corresponding  state  component  does  not  change.  The  partition  of  the 
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composition  is  the  union  of  th('  jjartitions  of  tin-  coinpoiu'iit  automata. 

Given  an  automaton  A  and  a  subset  11  of  its  actions,  we  define  th('  automaton 
to  be  the  automaton  .4'  differing  from  A  only  in  that  each  action  in  11 
becomes  an  internal  action.  This  operation  is  useful  for  hiding  acti(nis  that  model 
interprocess  communication  in  a  composite  automaton,  so  that  they  arc  no  longer 
visible  to  the  environment  of  the  composition. 

An  execution  of  a  system  is  fair  if  each  component  is  given  a  chance  to  make 
progress  infinitely  often.  Of  course,  a  i)rocess  might  not  be  able  to  take  a  step  every 
time  it  is  given  a  chance.  Formally  stated,  execution  e  of  automaton  A  is  fair  if  for 
each  class  C  of  part(A),  the  following  two  conditions  hold.  (1)  If  e  is  finite,  then  no 
action  of  C  is  enabled  in  the  final  state  of  c.  (2)  If  e  is  infinite,  then  either  actions 
from  C  appear  infinitely  often  in  e,  or  states  in  which  no  action  of  C  is  enabled 
appear  infinitely  often  in  e.  Note  that  any  finite  execution  of  >1  is  a  prefix  of  some 
fair  execution  of  A. 

The  fair  behavior  o{  automaton  A,  denoted  Fairbehs(A),  is  the  external  sched¬ 
ule  module  with  the  input  and  output  actions  of  A,  and  with  the  set  of  schedules 
{a\ext{A)  :  a  is  the  schedule  of  a  fair  execution  of  A}.’  A  problem  is  (specified  by) 
an  external  schedule  module.  Automaton  A  solves  the  problem  P  if  Fairbehs{A) 
is  a  sub-schedule  module  of  P,  i.e.,  the  behavior  of  A  visible  to  the  outside  world  is 
concistent  with  the  behavior  required  in  the  problem  specification.  Automaton  A 
satisfies  automaton  B  if  Fairbehs{A)  is  a  sub-schedule  module  of  Fairbchs{B). 


^  If  a  is  a  sequence  from  a  .set  S  and  T  is  a  subset  of  5,  then  olT  is  defined  to 
be  the  subsequence  of  o  consisting  of  elements  in  T. 
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